rpms/libtirpc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fixed potential buffer overflow in xdr_strings

Browse Source 
- Added a optimization to bindresvport that allows more ports to be tried.
This commit is contained in:
Steve Dickson 2007-05-02 14:45:58 +00:00
parent bc197cf32a
commit 3d9be28ff2
3 changed files with 119 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
libtirpc-0.1.7-bindresvport_ports.patch Normal file
View File

@ -0,0 +1,64 @@
commit c254b435007ebd4ed471737198975d5ccf4e7949
Author: Steve Dickson <steved@redhat.com>
Date: Thu Apr 26 17:20:21 2007 -0400
Added a optimization to bindresvport that allows more
ports to be tried.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/bindresvport.c b/src/bindresvport.c
index b197efa..bc75d29 100644
--- a/src/bindresvport.c
+++ b/src/bindresvport.c
@@ -62,6 +62,7 @@ bindresvport(sd, sin)
#ifdef __linux__
#define STARTPORT 600
+#define LOWPORT 512
#define ENDPORT (IPPORT_RESERVED - 1)
#define NPORTS (ENDPORT - STARTPORT + 1)
@@ -76,10 +77,13 @@ bindresvport_sa(sd, sa)
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
- u_int16_t port;
u_int16_t *portp;
+ static u_int16_t port;
+ static short startport = STARTPORT;
socklen_t salen;
- int i;
+ int nports = ENDPORT - startport + 1;
+ int endport = ENDPORT;
+ int i;
if (sa == NULL) {
salen = sizeof(myaddr);
@@ -119,13 +123,22 @@ bindresvport_sa(sd, sa)
}
res = -1;
errno = EADDRINUSE;
- for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
+ again:
+ for (i = 0; i < nports; ++i) {
*portp = htons(port++);
- if (port > ENDPORT) {
- port = STARTPORT;
- }
+ if (port > endport)
+ port = startport;
res = bind(sd, sa, salen);
+ if (res >= 0 || errno != EADDRINUSE)
+ break;
}
+ if (i == nports && startport != LOWPORT) {
+ startport = LOWPORT;
+ endport = STARTPORT - 1;
+ nports = STARTPORT - LOWPORT;
+ port = LOWPORT + port % (STARTPORT - LOWPORT);
+ goto again;
+ }
return (res);
}
#else

45
libtirpc-0.1.7-xdr_bufferoverlow.patch Normal file
View File

@ -0,0 +1,45 @@
commit 30431c6d846eab1bc6b7a3a91a7894f3acf2680f
Author: Steve Dickson <steved@redhat.com>
Date: Thu Apr 26 14:42:16 2007 -0400
Check for buffer overflow in xdr_string.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/xdr.c b/src/xdr.c
index 764c30f..292723b 100644
--- a/src/xdr.c
+++ b/src/xdr.c
@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize)
}
/* FALLTHROUGH */
case XDR_ENCODE:
+ if (sp == NULL)
+ return FALSE;
size = strlen(sp);
break;
case XDR_DECODE:
@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize)
return (FALSE);
}
nodesize = size + 1;
+ if (nodesize == 0) {
+ /* This means an overflow. It a bug in the caller which
+ * provided a too large maxsize but nevertheless catch it
+ * here.
+ */
+ return FALSE;
+ }
/*
* now deal with the actual bytes
@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize)
switch (xdrs->x_op) {
case XDR_DECODE:
- if (nodesize == 0) {
- return (TRUE);
- }
if (sp == NULL)
*cpp = sp = mem_alloc(nodesize);
if (sp == NULL) {

11
libtirpc.spec
View File

@ -1,6 +1,6 @@
Name: libtirpc
Version: 0.1.7
Release: 5%{?dist}
Release: 6%{?dist}
Summary: Transport Independent RPC Library
Group: System Environment/Libraries
License: GPL
@ -35,6 +35,8 @@ Patch2: libtirpc-0.1.7-gssapi.patch
Patch3: libtirpc-0.1.7-svcauthnone.patch
Patch4: libtirpc-0.1.7-ppc64.patch
Patch5: libtirpc-0.1.7-svcauthdestroy.patch
Patch6: libtirpc-0.1.7-xdr_bufferoverlow.patch
Patch7: libtirpc-0.1.7-bindresvport_ports.patch
Patch100: libtirpc-0.1.7-compile.patch
@ -50,6 +52,8 @@ developing programs which use the tirpc library.
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch100 -p1
@ -129,6 +133,11 @@ rm -rf %{buildroot}
%{_includedir}/tirpc/un-namespace.h
%changelog
* Thu Apr 26 2007 <steved@redhat.com> 0.1.7-6
- Fixed potential buffer overflow in xdr_strings
- Added a optimization to bindresvport that allows more
ports to be tried.
* Mon Mar 26 2007 Steve Dickson <steved@redhat.com> 0.1.7-5
- Fixed Unowned Directory RPM problem (bz 233873)