diff --git a/Fix-potential-free-of-non-heap-address.patch b/Fix-potential-free-of-non-heap-address.patch new file mode 100644 index 0000000..be07a50 --- /dev/null +++ b/Fix-potential-free-of-non-heap-address.patch @@ -0,0 +1,28 @@ +From d5e838b8b752ea8039fe174c8944a41aed7034a2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 11 Sep 2017 10:52:03 -0400 +Subject: [PATCH] Fix potential free of non-heap address + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +Merges: #211 +(cherry picked from commit 068f4174001c3ea4ae7913fb37210fec84abf1df) +--- + proxy/src/client/gpm_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c +index 9a10c2f..340da2f 100644 +--- a/proxy/src/client/gpm_common.c ++++ b/proxy/src/client/gpm_common.c +@@ -556,8 +556,8 @@ static int gpm_send_recv_loop(struct gpm_ctx *gpmctx, char *send_buffer, + ret = gpm_retry_socket(gpmctx); + + /* Free buffer and set it to NULL to prevent free(xdr_reply_ctx) */ +- free(recv_buffer); +- recv_buffer = NULL; ++ free(*recv_buffer); ++ *recv_buffer = NULL; + + if (ret != 0) + return ret; diff --git a/Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch b/Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch new file mode 100644 index 0000000..577e75c --- /dev/null +++ b/Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch @@ -0,0 +1,28 @@ +From 427c50c9b350e52a1c7aec444e383badc4fc5485 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 12 Sep 2017 12:40:27 -0400 +Subject: [PATCH] Prevent uninitialized read in error path of XDR contexts + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +Merges: #211 +(cherry picked from commit 8ba0f42f06bc7d0ed68cb2eb3ef2794fc860ac2d) +--- + proxy/src/client/gpm_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c +index 340da2f..5e097ce 100644 +--- a/proxy/src/client/gpm_common.c ++++ b/proxy/src/client/gpm_common.c +@@ -659,8 +659,8 @@ int gpm_make_call(int proc, union gp_rpc_arg *arg, union gp_rpc_res *res) + { + struct gpm_ctx *gpmctx; + gp_rpc_msg msg; +- XDR xdr_call_ctx; +- XDR xdr_reply_ctx; ++ XDR xdr_call_ctx = {0}; ++ XDR xdr_reply_ctx = {0}; + char *send_buffer = NULL; + char *recv_buffer = NULL; + uint32_t send_length; diff --git a/gssproxy.spec b/gssproxy.spec index 6ef0c98..389f322 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.7.0 -Release: 14%{?dist} +Release: 15%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -27,6 +27,8 @@ Patch9: Tolerate-NULL-pointers-in-gp_same.patch Patch10: Add-Client-ID-to-debug-messages.patch Patch11: client-Switch-to-non-blocking-sockets.patch Patch12: server-Add-detailed-request-logging.patch +Patch13: Fix-potential-free-of-non-heap-address.patch +Patch14: Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -119,6 +121,9 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Tue Sep 12 2017 Robbie Harwood - 0.7.0-15 +- Backport two security fixes + * Tue Aug 22 2017 Robbie Harwood - 0.7.0-14 - Non-blocking IO + Extended request debug logging