diff --git a/libtirpc-0.1.7-bindresvport_ports.patch b/libtirpc-0.1.7-bindresvport_ports.patch new file mode 100644 index 0000000..f6db9e5 --- /dev/null +++ b/libtirpc-0.1.7-bindresvport_ports.patch @@ -0,0 +1,64 @@ +commit c254b435007ebd4ed471737198975d5ccf4e7949 +Author: Steve Dickson +Date: Thu Apr 26 17:20:21 2007 -0400 + + Added a optimization to bindresvport that allows more + ports to be tried. + + Signed-off-by: Steve Dickson + +diff --git a/src/bindresvport.c b/src/bindresvport.c +index b197efa..bc75d29 100644 +--- a/src/bindresvport.c ++++ b/src/bindresvport.c +@@ -62,6 +62,7 @@ bindresvport(sd, sin) + #ifdef __linux__ + + #define STARTPORT 600 ++#define LOWPORT 512 + #define ENDPORT (IPPORT_RESERVED - 1) + #define NPORTS (ENDPORT - STARTPORT + 1) + +@@ -76,10 +77,13 @@ bindresvport_sa(sd, sa) + #ifdef INET6 + struct sockaddr_in6 *sin6; + #endif +- u_int16_t port; + u_int16_t *portp; ++ static u_int16_t port; ++ static short startport = STARTPORT; + socklen_t salen; +- int i; ++ int nports = ENDPORT - startport + 1; ++ int endport = ENDPORT; ++ int i; + + if (sa == NULL) { + salen = sizeof(myaddr); +@@ -119,13 +123,22 @@ bindresvport_sa(sd, sa) + } + res = -1; + errno = EADDRINUSE; +- for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) { ++ again: ++ for (i = 0; i < nports; ++i) { + *portp = htons(port++); +- if (port > ENDPORT) { +- port = STARTPORT; +- } ++ if (port > endport) ++ port = startport; + res = bind(sd, sa, salen); ++ if (res >= 0 || errno != EADDRINUSE) ++ break; + } ++ if (i == nports && startport != LOWPORT) { ++ startport = LOWPORT; ++ endport = STARTPORT - 1; ++ nports = STARTPORT - LOWPORT; ++ port = LOWPORT + port % (STARTPORT - LOWPORT); ++ goto again; ++ } + return (res); + } + #else diff --git a/libtirpc-0.1.7-xdr_bufferoverlow.patch b/libtirpc-0.1.7-xdr_bufferoverlow.patch new file mode 100644 index 0000000..242731b --- /dev/null +++ b/libtirpc-0.1.7-xdr_bufferoverlow.patch @@ -0,0 +1,45 @@ +commit 30431c6d846eab1bc6b7a3a91a7894f3acf2680f +Author: Steve Dickson +Date: Thu Apr 26 14:42:16 2007 -0400 + + Check for buffer overflow in xdr_string. + + Signed-off-by: Steve Dickson + +diff --git a/src/xdr.c b/src/xdr.c +index 764c30f..292723b 100644 +--- a/src/xdr.c ++++ b/src/xdr.c +@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize) + } + /* FALLTHROUGH */ + case XDR_ENCODE: ++ if (sp == NULL) ++ return FALSE; + size = strlen(sp); + break; + case XDR_DECODE: +@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize) + return (FALSE); + } + nodesize = size + 1; ++ if (nodesize == 0) { ++ /* This means an overflow. It a bug in the caller which ++ * provided a too large maxsize but nevertheless catch it ++ * here. ++ */ ++ return FALSE; ++ } + + /* + * now deal with the actual bytes +@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize) + switch (xdrs->x_op) { + + case XDR_DECODE: +- if (nodesize == 0) { +- return (TRUE); +- } + if (sp == NULL) + *cpp = sp = mem_alloc(nodesize); + if (sp == NULL) { diff --git a/libtirpc.spec b/libtirpc.spec index 4ffcbf9..3bac4b8 100644 --- a/libtirpc.spec +++ b/libtirpc.spec @@ -1,6 +1,6 @@ Name: libtirpc Version: 0.1.7 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Transport Independent RPC Library Group: System Environment/Libraries License: GPL @@ -35,6 +35,8 @@ Patch2: libtirpc-0.1.7-gssapi.patch Patch3: libtirpc-0.1.7-svcauthnone.patch Patch4: libtirpc-0.1.7-ppc64.patch Patch5: libtirpc-0.1.7-svcauthdestroy.patch +Patch6: libtirpc-0.1.7-xdr_bufferoverlow.patch +Patch7: libtirpc-0.1.7-bindresvport_ports.patch Patch100: libtirpc-0.1.7-compile.patch @@ -50,6 +52,8 @@ developing programs which use the tirpc library. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %patch100 -p1 @@ -129,6 +133,11 @@ rm -rf %{buildroot} %{_includedir}/tirpc/un-namespace.h %changelog +* Thu Apr 26 2007 0.1.7-6 +- Fixed potential buffer overflow in xdr_strings +- Added a optimization to bindresvport that allows more + ports to be tried. + * Mon Mar 26 2007 Steve Dickson 0.1.7-5 - Fixed Unowned Directory RPM problem (bz 233873)