rpcbind/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
Dirk Mueller 1abcad9219 Accepting request 360882 from home:kukuk:branches:network
- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset 
  interface for libtirpc, which is limited to 1024 connections.

- Sync with current git:
  - Replace 0002-revert-auth.patch with 
    0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
  - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
    to fix problems with activation via sockets by systemd
  - Replace 0032-CVE-2015-7236.patch with 
    0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
  - Add 0005-security.c-removed-warning.patch to fix compiler warnings
- Temporary remove 099-poll.patch

- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
  patches. 
- Submit for SLE12SP2 [FATE#320393]

- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
  remote scans [CVE-2015-7236, bsc#940191, bsc#946204]

- Document how to restrict addresses that rpcbind will listen on
  [bsc#935102]
  Added 0031-rpcbind-manpage.patch

- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
  forwarding (bnc#932423)

OBS-URL: https://build.opensuse.org/request/show/360882
OBS-URL: https://build.opensuse.org/package/show/network/rpcbind?expand=0&rev=58
2016-02-22 15:04:42 +00:00

83 lines
2.7 KiB
Diff

From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
From: Olaf Kirch <okir@suse.de>
Date: Fri, 30 Oct 2015 10:18:20 -0400
Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
- A PMAP_CALLIT call comes in on IPv4 UDP
- rpcbind duplicates the caller's address to a netbuf and stores it in
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
with a size of 16 bytes
- rpcbind forwards the call to the local service, receives a reply
- when processing the reply, it does this in xprt_set_caller:
xprt->xp_rtaddr = *FINFO[0].caller_addr
It sends out the reply, and then frees the netbuf caller_addr and
caller_addr.buf.
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
to memory region A, which is free.
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
be called, which will set xp_rtaddr to the client's address.
It will reuse the buffer inside xp_rtaddr, ie it will write a
sockaddr_in to region A
Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT
- While processing the TCP call, another UDP call comes in, again
overwriting region A with the client's address
- TCP client closes connection. In svc_destroy, we now trip over
the garbage left in region A
We ran into the case where a commercial scanner was triggering
occasional rpcbind segfaults. The core file that was captured showed
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..4ae93f1 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
return (ncallbacks_found);
}
+/*
+ * This is really a helper function defined in libtirpc,
+ * but unfortunately, it hasn't been exported yet.
+ */
+static struct netbuf *
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
+{
+ if (nb->len != len) {
+ if (nb->len)
+ mem_free(nb->buf, nb->len);
+ nb->buf = mem_alloc(len);
+ if (nb->buf == NULL)
+ return NULL;
+
+ nb->maxlen = nb->len = len;
+ }
+ memcpy(nb->buf, ptr, len);
+ return nb;
+}
+
static void
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
{
+ const struct netbuf *caller = fi->caller_addr;
u_int32_t *xidp;
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
xidp = __rpcb_get_dg_xidp(xprt);
*xidp = fi->caller_xid;
}
--
1.8.5.6