From 2b23012f5de518428c537c3f769c7fa51a552314 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@fedoraproject.org>
Date: Thu, 24 Jan 2008 20:11:52 +0000
Subject: [PATCH] Protect from buffer overflow in the GSS code. (bz 362121)

---
 libtirpc-0.1.7-bufoverflow.patch | 35 ++++++++++++++++++++++++++++++++
 libtirpc.spec                    |  7 ++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 libtirpc-0.1.7-bufoverflow.patch

diff --git a/libtirpc-0.1.7-bufoverflow.patch b/libtirpc-0.1.7-bufoverflow.patch
new file mode 100644
index 0000000..b9a7aa4
--- /dev/null
+++ b/libtirpc-0.1.7-bufoverflow.patch
@@ -0,0 +1,35 @@
+commit 3cf1a3ce1a409e647f9b8ca4497c26e6d066f293
+Author: Steve Dickson <steved@redhat.com>
+Date:   Thu Jan 24 15:01:22 2008 -0500
+
+    Protect from buffer overflow in the GSS code.
+    
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff -up libtirpc-0.1.7/src/svc_auth_gss.c.orig libtirpc-0.1.7/src/svc_auth_gss.c
+--- libtirpc-0.1.7/src/svc_auth_gss.c.orig	2008-01-24 14:41:21.000000000 -0500
++++ libtirpc-0.1.7/src/svc_auth_gss.c	2008-01-24 14:59:31.000000000 -0500
+@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_
+ 	memset(rpchdr, 0, sizeof(rpchdr));
+ 
+ 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
++	oa = &msg->rm_call.cb_cred;
++	if (oa->oa_length > MAX_AUTH_BYTES)
++		return (FALSE);
++	
++	/* 8 XDR units from the IXDR macro calls. */
++	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
++			RNDUP(oa->oa_length)))
++		return (FALSE);
++
+ 	buf = (int32_t *)rpchdr;
+ 	IXDR_PUT_LONG(buf, msg->rm_xid);
+ 	IXDR_PUT_ENUM(buf, msg->rm_direction);
+@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+-	oa = &msg->rm_call.cb_cred;
+ 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+ 	IXDR_PUT_LONG(buf, oa->oa_length);
+ 	if (oa->oa_length) {
diff --git a/libtirpc.spec b/libtirpc.spec
index 59fc811..e5fcacc 100644
--- a/libtirpc.spec
+++ b/libtirpc.spec
@@ -1,6 +1,6 @@
 Name:		   libtirpc
 Version:		0.1.7
-Release:		14%{?dist}
+Release:		15%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		GPL
@@ -44,6 +44,7 @@ Patch11: libtirpc-0.1.7-bindresvport-ntohs.patch
 Patch12: libtirpc-0.1.7-dgcall-iprecverr.patch
 Patch13: libtirpc-0.1.7-svc-rtaddr.patch
 Patch14: libtirpc-0.1.7-arm.patch
+Patch15: libtirpc-0.1.7-bufoverflow.patch
 
 Patch100: libtirpc-0.1.7-compile.patch
 
@@ -68,6 +69,7 @@ developing programs which use the tirpc library.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 %patch100	-p1
 
@@ -147,6 +149,9 @@ rm -rf %{buildroot}
 %{_includedir}/tirpc/un-namespace.h
 
 %changelog
+* Thu Jan 24 2008 Steve Dickson  <steved@redhat.com> 0.1.7-15
+- Protect from buffer overflow in the GSS code. (bz 362121)
+
 * Mon Dec 17 2007 Steve Dickson  <steved@redhat.com> 0.1.7-14
 - Fixed typo in /etc/netconfig file (bz 414471)