- Fixed potential buffer overflow in xdr_strings
- Added a optimization to bindresvport that allows more ports to be tried.
This commit is contained in:
Steve Dickson
parent
bc197cf32a
commit
3d9be28ff2
64
libtirpc-0.1.7-bindresvport_ports.patch
Normal file
64
libtirpc-0.1.7-bindresvport_ports.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
commit c254b435007ebd4ed471737198975d5ccf4e7949
|
||||||
|
Author: Steve Dickson <steved@redhat.com>
|
||||||
|
Date: Thu Apr 26 17:20:21 2007 -0400
|
||||||
|
|
||||||
|
Added a optimization to bindresvport that allows more
|
||||||
|
ports to be tried.
|
||||||
|
|
||||||
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/src/bindresvport.c b/src/bindresvport.c
|
||||||
|
index b197efa..bc75d29 100644
|
||||||
|
--- a/src/bindresvport.c
|
||||||
|
+++ b/src/bindresvport.c
|
||||||
|
@@ -62,6 +62,7 @@ bindresvport(sd, sin)
|
||||||
|
#ifdef __linux__
|
||||||
|
|
||||||
|
#define STARTPORT 600
|
||||||
|
+#define LOWPORT 512
|
||||||
|
#define ENDPORT (IPPORT_RESERVED - 1)
|
||||||
|
#define NPORTS (ENDPORT - STARTPORT + 1)
|
||||||
|
|
||||||
|
@@ -76,10 +77,13 @@ bindresvport_sa(sd, sa)
|
||||||
|
#ifdef INET6
|
||||||
|
struct sockaddr_in6 *sin6;
|
||||||
|
#endif
|
||||||
|
- u_int16_t port;
|
||||||
|
u_int16_t *portp;
|
||||||
|
+ static u_int16_t port;
|
||||||
|
+ static short startport = STARTPORT;
|
||||||
|
socklen_t salen;
|
||||||
|
- int i;
|
||||||
|
+ int nports = ENDPORT - startport + 1;
|
||||||
|
+ int endport = ENDPORT;
|
||||||
|
+ int i;
|
||||||
|
|
||||||
|
if (sa == NULL) {
|
||||||
|
salen = sizeof(myaddr);
|
||||||
|
@@ -119,13 +123,22 @@ bindresvport_sa(sd, sa)
|
||||||
|
}
|
||||||
|
res = -1;
|
||||||
|
errno = EADDRINUSE;
|
||||||
|
- for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
|
||||||
|
+ again:
|
||||||
|
+ for (i = 0; i < nports; ++i) {
|
||||||
|
*portp = htons(port++);
|
||||||
|
- if (port > ENDPORT) {
|
||||||
|
- port = STARTPORT;
|
||||||
|
- }
|
||||||
|
+ if (port > endport)
|
||||||
|
+ port = startport;
|
||||||
|
res = bind(sd, sa, salen);
|
||||||
|
+ if (res >= 0 || errno != EADDRINUSE)
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
+ if (i == nports && startport != LOWPORT) {
|
||||||
|
+ startport = LOWPORT;
|
||||||
|
+ endport = STARTPORT - 1;
|
||||||
|
+ nports = STARTPORT - LOWPORT;
|
||||||
|
+ port = LOWPORT + port % (STARTPORT - LOWPORT);
|
||||||
|
+ goto again;
|
||||||
|
+ }
|
||||||
|
return (res);
|
||||||
|
}
|
||||||
|
#else
|
||||||
45
libtirpc-0.1.7-xdr_bufferoverlow.patch
Normal file
45
libtirpc-0.1.7-xdr_bufferoverlow.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
commit 30431c6d846eab1bc6b7a3a91a7894f3acf2680f
|
||||||
|
Author: Steve Dickson <steved@redhat.com>
|
||||||
|
Date: Thu Apr 26 14:42:16 2007 -0400
|
||||||
|
|
||||||
|
Check for buffer overflow in xdr_string.
|
||||||
|
|
||||||
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/src/xdr.c b/src/xdr.c
|
||||||
|
index 764c30f..292723b 100644
|
||||||
|
--- a/src/xdr.c
|
||||||
|
+++ b/src/xdr.c
|
||||||
|
@@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize)
|
||||||
|
}
|
||||||
|
/* FALLTHROUGH */
|
||||||
|
case XDR_ENCODE:
|
||||||
|
+ if (sp == NULL)
|
||||||
|
+ return FALSE;
|
||||||
|
size = strlen(sp);
|
||||||
|
break;
|
||||||
|
case XDR_DECODE:
|
||||||
|
@@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize)
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
nodesize = size + 1;
|
||||||
|
+ if (nodesize == 0) {
|
||||||
|
+ /* This means an overflow. It a bug in the caller which
|
||||||
|
+ * provided a too large maxsize but nevertheless catch it
|
||||||
|
+ * here.
|
||||||
|
+ */
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* now deal with the actual bytes
|
||||||
|
@@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize)
|
||||||
|
switch (xdrs->x_op) {
|
||||||
|
|
||||||
|
case XDR_DECODE:
|
||||||
|
- if (nodesize == 0) {
|
||||||
|
- return (TRUE);
|
||||||
|
- }
|
||||||
|
if (sp == NULL)
|
||||||
|
*cpp = sp = mem_alloc(nodesize);
|
||||||
|
if (sp == NULL) {
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: libtirpc
|
Name: libtirpc
|
||||||
Version: 0.1.7
|
Version: 0.1.7
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: Transport Independent RPC Library
|
Summary: Transport Independent RPC Library
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: GPL
|
License: GPL
|
||||||
@ -35,6 +35,8 @@ Patch2: libtirpc-0.1.7-gssapi.patch
|
|||||||
Patch3: libtirpc-0.1.7-svcauthnone.patch
|
Patch3: libtirpc-0.1.7-svcauthnone.patch
|
||||||
Patch4: libtirpc-0.1.7-ppc64.patch
|
Patch4: libtirpc-0.1.7-ppc64.patch
|
||||||
Patch5: libtirpc-0.1.7-svcauthdestroy.patch
|
Patch5: libtirpc-0.1.7-svcauthdestroy.patch
|
||||||
|
Patch6: libtirpc-0.1.7-xdr_bufferoverlow.patch
|
||||||
|
Patch7: libtirpc-0.1.7-bindresvport_ports.patch
|
||||||
|
|
||||||
Patch100: libtirpc-0.1.7-compile.patch
|
Patch100: libtirpc-0.1.7-compile.patch
|
||||||
|
|
||||||
@ -50,6 +52,8 @@ developing programs which use the tirpc library.
|
|||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
|
|
||||||
@ -129,6 +133,11 @@ rm -rf %{buildroot}
|
|||||||
%{_includedir}/tirpc/un-namespace.h
|
%{_includedir}/tirpc/un-namespace.h
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 26 2007 <steved@redhat.com> 0.1.7-6
|
||||||
|
- Fixed potential buffer overflow in xdr_strings
|
||||||
|
- Added a optimization to bindresvport that allows more
|
||||||
|
ports to be tried.
|
||||||
|
|
||||||
* Mon Mar 26 2007 Steve Dickson <steved@redhat.com> 0.1.7-5
|
* Mon Mar 26 2007 Steve Dickson <steved@redhat.com> 0.1.7-5
|
||||||
- Fixed Unowned Directory RPM problem (bz 233873)
|
- Fixed Unowned Directory RPM problem (bz 233873)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user