From 0815621598564891abc76ce5c29472ce19fb3d95 Mon Sep 17 00:00:00 2001 From: Steve Dickson Date: Mon, 27 Oct 2008 17:17:04 +0000 Subject: [PATCH] - Fix bad assumption taddr2uaddr processing that caused a segfault (bz468014) --- libtirpc-0.1.7-taddr2uaddr-segflt.patch | 25 +++++++++++++++++++++++++ libtirpc.spec | 13 ++++++++++--- 2 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 libtirpc-0.1.7-taddr2uaddr-segflt.patch diff --git a/libtirpc-0.1.7-taddr2uaddr-segflt.patch b/libtirpc-0.1.7-taddr2uaddr-segflt.patch new file mode 100644 index 0000000..15339b7 --- /dev/null +++ b/libtirpc-0.1.7-taddr2uaddr-segflt.patch @@ -0,0 +1,25 @@ +commit 338af7f9f00e096b65a6d823f885c4eeaf1d1f8c +Author: Steve Dickson +Date: Mon Oct 27 12:46:54 2008 -0400 + + __rpc_taddr2uaddr_af() assumes the netbuf to always have a + non-zero data. This is a bad assumption and can lead to a + seg-fault. This patch adds a check for zero length and returns + NULL when found. + + Signed-off-by: Steve Dickson + +diff --git a/src/rpc_generic.c b/src/rpc_generic.c +index 3aad018..27de254 100644 +--- a/src/rpc_generic.c ++++ b/src/rpc_generic.c +@@ -603,6 +603,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) + #endif + u_int16_t port; + ++ if (nbuf->len <= 0) ++ return NULL; ++ + switch (af) { + case AF_INET: + sin = nbuf->buf; diff --git a/libtirpc.spec b/libtirpc.spec index c56a1c5..bf16654 100644 --- a/libtirpc.spec +++ b/libtirpc.spec @@ -1,6 +1,6 @@ Name: libtirpc Version: 0.1.9 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Transport Independent RPC Library Group: System Environment/Libraries License: SISSL @@ -34,6 +34,7 @@ Patch01: libtirpc-0.1.9-rpc_getbroadifs-sizeof.patch Patch02: libtirpc-0.1.9-ipv6-socket.patch Patch03: libtirpc-0.1.9-taddr2addr-typo.patch Patch04: libtirpc-0.1.9-warnings.patch +Patch05: libtirpc-0.1.7-taddr2uaddr-segflt.patch Patch100: libtirpc-0.1.7-compile.patch @@ -48,6 +49,8 @@ developing programs which use the tirpc library. %patch02 -p1 %patch03 -p1 %patch04 -p1 +# 468014: rpcbind DoS in the taddr2uaddr XDR_DECODE +%patch05 -p1 %patch100 -p1 @@ -146,12 +149,16 @@ rm -rf %{buildroot} %{_mandir}/*/* %changelog +* Mon Oct 27 2008 Steve Dickson 0.1.8-6 +- Fix bad assumption taddr2uaddr processing that + caused a segfault (bz468014) + * Tue Sep 16 2008 Steve Dickson 0.1.9-5 - Fix for taddr2addr conversion bug of local addresses - Fixed some of warnings in: src/auth_time.c, src/clnt_dg.c and - src/clnt_raw.c + src/clnt_raw.c - Added some #ifdef NOTUSED around some code in src/rpbc_clnt.c - that was not being used... + that was not being used... * Thu Sep 4 2008 Steve Dickson 0.1.9-4 - Always make IPv6 sockets V6ONLY