From 62e251c24f5865497e1938dc0c040bd2e46a226e Mon Sep 17 00:00:00 2001 From: Steve Dickson Date: Sat, 10 Mar 2018 10:31:20 -0500 Subject: [PATCH] clnt_dg_call: Change the memory allocation Signed-off-by: Steve Dickson --- libtirpc-1.0.3-alloca.patch | 51 +++++++++++++++++++++++++++++++++++++ libtirpc.spec | 9 +++++-- 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 libtirpc-1.0.3-alloca.patch diff --git a/libtirpc-1.0.3-alloca.patch b/libtirpc-1.0.3-alloca.patch new file mode 100644 index 0000000..eff3c2a --- /dev/null +++ b/libtirpc-1.0.3-alloca.patch @@ -0,0 +1,51 @@ +commit 7a42aa8af6779286aabb11a666f25f37ece98eb8 +Author: Steve Dickson +Date: Tue Mar 6 13:05:17 2018 -0500 + + clnt_dg_call: Change the memory allocation + + Commit 2936f109590e add free()s on memory that + was allocated from the stack (via alloca()). + That type memory is automatically freed so + those added free()s was causing a double frees. + + It was suggested allocating memory from the + stack can be a bit troublesome. So this patch + changes the memory allocation from the stack + to the heap which also eliminates the double frees. + + Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)") + BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163 + + Reviewed-by: Chuck Lever + Signed-off-by: Steve Dickson + +diff --git a/src/clnt_dg.c b/src/clnt_dg.c +index 884a2db..04a2aba 100644 +--- a/src/clnt_dg.c ++++ b/src/clnt_dg.c +@@ -430,7 +430,7 @@ get_reply: + struct sockaddr_in err_addr; + struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr; + struct iovec iov; +- char *cbuf = (char *) alloca (outlen + 256); ++ char *cbuf = (char *) mem_alloc((outlen + 256)); + int ret; + + if (cbuf == NULL) +@@ -462,13 +462,13 @@ get_reply: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { +- free(cbuf); ++ mem_free(cbuf, (outlen + 256)); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; + release_fd_lock(cu->cu_fd, mask); + return (cu->cu_error.re_status = RPC_CANTRECV); + } +- free(cbuf); ++ mem_free(cbuf, (outlen + 256)); + } + #endif + diff --git a/libtirpc.spec b/libtirpc.spec index b6a7fd5..7d4a6ea 100644 --- a/libtirpc.spec +++ b/libtirpc.spec @@ -2,7 +2,7 @@ Name: libtirpc Version: 1.0.2 -Release: 5.rc2%{?dist} +Release: 6.rc2%{?dist} Summary: Transport Independent RPC Library Group: System Environment/Libraries License: SISSL and BSD @@ -10,6 +10,7 @@ URL: http://nfsv4.bullopensource.org/ Source0: http://downloads.sourceforge.net/libtirpc/libtirpc-%{version}.tar.bz2 Patch001: libtirpc-1.0.3-rc2.patch +Patch002: libtirpc-1.0.3-alloca.patch BuildRequires: automake, autoconf, libtool, pkgconfig BuildRequires: krb5-devel @@ -41,6 +42,7 @@ developing programs which use the tirpc library. %setup -q %patch001 -p1 +%patch002 -p1 # Remove .orig files find . -name "*.orig" | xargs rm -f @@ -131,6 +133,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t %{_mandir}/*/* %changelog +* Tue Mar 6 2018 Steve Dickson 1.0.2-6.rc2 +- clnt_dg_call: Change the memory allocation + * Thu Mar 1 2018 Steve Dickson 1.0.2-5.rc2 - Update to latest upstream RC release: libtirpc-1-0-3-rc2 (bz 1337142) @@ -140,7 +145,7 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t * Tue Nov 14 2017 Steve Dickson 1.0.2-4 - Update to latest upstream RC release: libtirpc-1-0-3-rc1 -* Tue Aug 22 2017 Petr Ĺ abata - 1.0.2-3 +* Tue Aug 22 2017 Petr abata - 1.0.2-3 - Fixing the FTBFS on behalf of Rafael Fonseca (rhbz#1482063) * Thu Aug 03 2017 Fedora Release Engineering - 1.0.2-2