From 749c53605d5e42fbf084c1c42683f8c327b97d2b Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 3 Nov 2022 11:13:36 -0400
Subject: [PATCH] clnt_raw.c: fix a possible null pointer dereference (bz
 2138317)

Signed-off-by: Steve Dickson <steved@redhat.com>
Resolves: bz2138317
---
 libtirpc-1.1.5-rc3.patch          | 417 ------------------------------
 libtirpc-1.2.6-rc2.patch          |  71 -----
 libtirpc-1.3.3-clnt-raw-ptr.patch |  51 ++++
 libtirpc.spec                     |   4 +-
 4 files changed, 54 insertions(+), 489 deletions(-)
 delete mode 100644 libtirpc-1.1.5-rc3.patch
 delete mode 100644 libtirpc-1.2.6-rc2.patch
 create mode 100644 libtirpc-1.3.3-clnt-raw-ptr.patch

diff --git a/libtirpc-1.1.5-rc3.patch b/libtirpc-1.1.5-rc3.patch
deleted file mode 100644
index 3478ad8..0000000
--- a/libtirpc-1.1.5-rc3.patch
+++ /dev/null
@@ -1,417 +0,0 @@
-diff --git a/man/rpc_secure.3t b/man/rpc_secure.3t
-index 4a1ad93..404df0b 100644
---- a/man/rpc_secure.3t
-+++ b/man/rpc_secure.3t
-@@ -19,7 +19,7 @@
- .Ft AUTH *
- .Fo authdes_pk_create
- .Fa "char *name"
--.FA "netobj *publickey"
-+.Fa "netobj *publickey"
- .Fa "unsigned window"
- .Fa "struct sockaddr *addr"
- .Fa "des_block *ckey"
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 932414d..b40a6b4 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -38,7 +38,7 @@ endif
- if GSS
-     libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c \
- 			   rpc_gss_utils.c
--    libtirpc_la_LDFLAGS += $(GSSAPI_LIBS)
-+    libtirpc_la_LIBADD = $(GSSAPI_LIBS)
-     libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSAPI_CFLAGS)
- endif
- 
-diff --git a/src/auth_des.c b/src/auth_des.c
-index af2f61f..c9af2e9 100644
---- a/src/auth_des.c
-+++ b/src/auth_des.c
-@@ -396,7 +396,7 @@ authdes_validate(AUTH *auth, struct opaque_auth *rverf)
- 	/*
- 	 * validate
- 	 */
--	if (bcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp,
-+	if (memcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp,
- 		 sizeof(struct timeval)) != 0) {
- 		LIBTIRPC_DEBUG(1, ("authdes_validate: verifier mismatch"));
- 		return (FALSE);
-diff --git a/src/auth_gss.c b/src/auth_gss.c
-index 5959893..7d08262 100644
---- a/src/auth_gss.c
-+++ b/src/auth_gss.c
-@@ -207,6 +207,7 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec)
- 			rpc_createerr.cf_stat = RPC_SYSTEMERROR;
- 			rpc_createerr.cf_error.re_errno = ENOMEM;
- 			free(auth);
-+			free(gd);
- 			return (NULL);
- 		}
- 	}
-@@ -592,7 +593,7 @@ _rpc_gss_refresh(AUTH *auth, rpc_gss_options_ret_t *options_ret)
- 			if (rpc_gss_oid_to_mech(actual_mech_type, &mechanism)) {
- 				strncpy(options_ret->actual_mechanism,
- 					mechanism,
--					sizeof(options_ret->actual_mechanism));
-+					(sizeof(options_ret->actual_mechanism)-1));
- 			}
- 
- 			gd->established = TRUE;
-diff --git a/src/auth_time.c b/src/auth_time.c
-index 69400bc..936dd76 100644
---- a/src/auth_time.c
-+++ b/src/auth_time.c
-@@ -104,7 +104,7 @@ static int uaddr_to_sockaddr(uaddr, sin)
- 	p_bytes[1] = (unsigned char)a[5] & 0x000000FF;
- 
- 	sin->sin_family = AF_INET; /* always */
--	bcopy((char *)&p_bytes, (char *)&sin->sin_port, 2);
-+	memcpy((char *)&sin->sin_port, (char *)&p_bytes, 2);
- 
- 	return (0);
- }
-diff --git a/src/clnt_bcast.c b/src/clnt_bcast.c
-index 98cf061..2ad6c89 100644
---- a/src/clnt_bcast.c
-+++ b/src/clnt_bcast.c
-@@ -330,6 +330,7 @@ rpc_broadcast_exp(prog, vers, proc, xargs, argsp, xresults, resultsp,
- 	if (nettype == NULL)
- 		nettype = "datagram_n";
- 	if ((handle = __rpc_setconf(nettype)) == NULL) {
-+		AUTH_DESTROY(sys_auth);
- 		return (RPC_UNKNOWNPROTO);
- 	}
- 	while ((nconf = __rpc_getconf(handle)) != NULL) {
-diff --git a/src/crypt_client.c b/src/crypt_client.c
-index f393926..cd6f7de 100644
---- a/src/crypt_client.c
-+++ b/src/crypt_client.c
-@@ -75,8 +75,8 @@ _des_crypt_call(buf, len, dparms)
- 	des_crypt_1_arg.desbuf.desbuf_val = buf;
- 	des_crypt_1_arg.des_dir = dparms->des_dir;
- 	des_crypt_1_arg.des_mode = dparms->des_mode;
--	bcopy(dparms->des_ivec, des_crypt_1_arg.des_ivec, 8);
--	bcopy(dparms->des_key, des_crypt_1_arg.des_key, 8);
-+	memcpy(des_crypt_1_arg.des_ivec, dparms->des_ivec, 8);
-+	memcpy(des_crypt_1_arg.des_key, dparms->des_key, 8);
- 
- 	result_1 = des_crypt_1(&des_crypt_1_arg, clnt);
- 	if (result_1 == (desresp *) NULL) {
-@@ -88,8 +88,8 @@ _des_crypt_call(buf, len, dparms)
- 
- 	if (result_1->stat == DESERR_NONE ||
- 	    result_1->stat == DESERR_NOHWDEVICE) {
--		bcopy(result_1->desbuf.desbuf_val, buf, len);
--		bcopy(result_1->des_ivec, dparms->des_ivec, 8);
-+		memcpy(buf, result_1->desbuf.desbuf_val, len);
-+		memcpy(dparms->des_ivec, result_1->des_ivec, 8);
- 	}
- 
- 	clnt_freeres(clnt, (xdrproc_t)xdr_desresp, result_1);
-diff --git a/src/getnetconfig.c b/src/getnetconfig.c
-index 92e7c43..cfd33c2 100644
---- a/src/getnetconfig.c
-+++ b/src/getnetconfig.c
-@@ -681,6 +681,7 @@ struct netconfig	*ncp;
- {
-     struct netconfig	*p;
-     char	*tmp;
-+    char	*t;
-     u_int	i;
- 
-     if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL)
-@@ -700,20 +701,21 @@ struct netconfig	*ncp;
-      */
-     *p = *ncp;
-     p->nc_netid = (char *)strcpy(tmp,ncp->nc_netid);
--    tmp = strchr(tmp, 0) + 1;
--    p->nc_protofmly = (char *)strcpy(tmp,ncp->nc_protofmly);
--    tmp = strchr(tmp, 0) + 1;
--    p->nc_proto = (char *)strcpy(tmp,ncp->nc_proto);
--    tmp = strchr(tmp, 0) + 1;
--    p->nc_device = (char *)strcpy(tmp,ncp->nc_device);
-+    t = strchr(tmp, 0) + 1;
-+    p->nc_protofmly = (char *)strcpy(t,ncp->nc_protofmly);
-+    t = strchr(t, 0) + 1;
-+    p->nc_proto = (char *)strcpy(t,ncp->nc_proto);
-+    t = strchr(t, 0) + 1;
-+    p->nc_device = (char *)strcpy(t,ncp->nc_device);
-     p->nc_lookups = (char **)malloc((size_t)(p->nc_nlookups+1) * sizeof(char *));
-     if (p->nc_lookups == NULL) {
--	free(p->nc_netid);
-+	free(p);
-+	free(tmp);
- 	return(NULL);
-     }
-     for (i=0; i < p->nc_nlookups; i++) {
--    	tmp = strchr(tmp, 0) + 1;
--    	p->nc_lookups[i] = (char *)strcpy(tmp,ncp->nc_lookups[i]);
-+	t = strchr(t, 0) + 1;
-+	p->nc_lookups[i] = (char *)strcpy(t,ncp->nc_lookups[i]);
-     }
-     return(p);
- }
-diff --git a/src/getnetpath.c b/src/getnetpath.c
-index 7c19932..ea1a18c 100644
---- a/src/getnetpath.c
-+++ b/src/getnetpath.c
-@@ -88,6 +88,7 @@ setnetpath()
-     }
-     if ((np_sessionp->nc_handlep = setnetconfig()) == NULL) {
- 	syslog (LOG_ERR, "rpc: failed to open " NETCONFIG);
-+	free(np_sessionp);
- 	return (NULL);
-     }
-     np_sessionp->valid = NP_VALID;
-diff --git a/src/getpublickey.c b/src/getpublickey.c
-index 8cf4dc2..be37a24 100644
---- a/src/getpublickey.c
-+++ b/src/getpublickey.c
-@@ -74,7 +74,7 @@ __getpublickey_real(netname, publickey)
- 		return (0);
- 	}
- 	*p = '\0';
--	(void) strncpy(publickey, lookup, HEXKEYBYTES);
-+	memcpy(publickey, lookup, HEXKEYBYTES);
- 	publickey[HEXKEYBYTES] = '\0';
- 	return (1);
- }
-diff --git a/src/getrpcent.c b/src/getrpcent.c
-index cba4cd8..e49dc05 100644
---- a/src/getrpcent.c
-+++ b/src/getrpcent.c
-@@ -100,7 +100,7 @@ _rpcdata()
- 	return (d);
- }
- 
--#if !HAVE_GETRPCBYNYMBER
-+#if !HAVE_GETRPCBYNUMBER
- struct rpcent *
- getrpcbynumber(number)
- 	int number;
-diff --git a/src/rpc_generic.c b/src/rpc_generic.c
-index 589cbd5..51f36ac 100644
---- a/src/rpc_generic.c
-+++ b/src/rpc_generic.c
-@@ -319,6 +319,7 @@ __rpc_setconf(nettype)
- 		handle->nflag = FALSE;
- 		break;
- 	default:
-+		free(handle);
- 		return (NULL);
- 	}
- 
-diff --git a/src/rpc_soc.c b/src/rpc_soc.c
-index 5a6eeb7..a85cb17 100644
---- a/src/rpc_soc.c
-+++ b/src/rpc_soc.c
-@@ -663,15 +663,17 @@ svcunix_create(sock, sendsize, recvsize, path)
- 		    strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
- 			break;
- 	}
--	if (nconf == NULL)
-+	if (nconf == NULL) {
-+		endnetconfig(localhandle);
- 		return(xprt);
-+	}
- 
- 	if ((sock = __rpc_nconf2fd(nconf)) < 0)
- 		goto done;
- 
- 	memset(&sun, 0, sizeof sun);
- 	sun.sun_family = AF_LOCAL;
--	strncpy(sun.sun_path, path, sizeof(sun.sun_path));
-+	strncpy(sun.sun_path, path, (sizeof(sun.sun_path)-1));
- 	addrlen = sizeof(struct sockaddr_un);
- 	sa = (struct sockaddr *)&sun;
- 
-@@ -692,6 +694,8 @@ svcunix_create(sock, sendsize, recvsize, path)
- 	}
- 
- 	xprt = (SVCXPRT *)svc_tli_create(sock, nconf, &taddr, sendsize, recvsize);
-+	if (xprt == NULL)
-+		close(sock);
- 
- done:
- 	endnetconfig(localhandle);
-diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
-index e45736a..0c34cb7 100644
---- a/src/rpcb_clnt.c
-+++ b/src/rpcb_clnt.c
-@@ -547,6 +547,7 @@ try_nconf:
- 		if (tmpnconf == NULL) {
-  			rpc_createerr.cf_stat = RPC_UNKNOWNPROTO;
- 			mutex_unlock(&loopnconf_lock);
-+			endnetconfig(nc_handle);
- 			return (NULL);
- 		}
- 		loopnconf = getnetconfigent(tmpnconf->nc_netid);
-diff --git a/src/rtime.c b/src/rtime.c
-index b642840..29fbf0a 100644
---- a/src/rtime.c
-+++ b/src/rtime.c
-@@ -90,6 +90,7 @@ rtime(addrp, timep, timeout)
- 
- 	/* TCP and UDP port are the same in this case */
- 	if ((serv = getservbyname("time", "tcp")) == NULL) {
-+		do_close(s);
- 		return(-1);
- 	}
- 
-diff --git a/src/svc_auth_des.c b/src/svc_auth_des.c
-index 19a7c60..b096e08 100644
---- a/src/svc_auth_des.c
-+++ b/src/svc_auth_des.c
-@@ -145,7 +145,7 @@ _svcauth_des(rqst, msg)
- 			return (AUTH_BADCRED);
- 		}
- 		cred->adc_fullname.name = area->area_netname;
--		bcopy((char *)ixdr, cred->adc_fullname.name, 
-+		memcpy(cred->adc_fullname.name, (char *)ixdr,
- 			(u_int)namelen);
- 		cred->adc_fullname.name[namelen] = 0;
- 		ixdr += (RNDUP(namelen) / BYTES_PER_XDR_UNIT);
-@@ -419,7 +419,7 @@ cache_spot(key, name, timestamp)
- 		if (cp->key.key.high == hi && 
- 		    cp->key.key.low == key->key.low &&
- 		    cp->rname != NULL &&
--		    bcmp(cp->rname, name, strlen(name) + 1) == 0) {
-+		    memcmp(cp->rname, name, strlen(name) + 1) == 0) {
- 			if (BEFORE(timestamp, &cp->laststamp)) {
- 				svcauthdes_stats.ncachereplays++;
- 				return (-1); /* replay */
-diff --git a/src/svc_generic.c b/src/svc_generic.c
-index 52a56c2..20abaa2 100644
---- a/src/svc_generic.c
-+++ b/src/svc_generic.c
-@@ -113,6 +113,7 @@ svc_create(dispatch, prognum, versnum, nettype)
- 				if (l == NULL) {
- 					warnx("svc_create: no memory");
- 					mutex_unlock(&xprtlist_lock);
-+					__rpc_endconf(handle);
- 					return (0);
- 				}
- 				l->xprt = xprt;
-diff --git a/src/svc_simple.c b/src/svc_simple.c
-index cb58002..c32fe0a 100644
---- a/src/svc_simple.c
-+++ b/src/svc_simple.c
-@@ -157,6 +157,7 @@ rpc_reg(prognum, versnum, procnum, progname, inproc, outproc, nettype)
- 				((netid = strdup(nconf->nc_netid)) == NULL)) {
- 				warnx(rpc_reg_err, rpc_reg_msg, __no_mem_str);
- 				SVC_DESTROY(svcxprt);
-+				free(xdrbuf);
- 				break;
- 			}
- 			madenow = TRUE;
-diff --git a/src/svc_vc.c b/src/svc_vc.c
-index 97a76a3..c23cd36 100644
---- a/src/svc_vc.c
-+++ b/src/svc_vc.c
-@@ -502,9 +502,14 @@ read_vc(xprtp, buf, len)
- 	cfp = (struct cf_conn *)xprt->xp_p1;
- 
- 	if (cfp->nonblock) {
-+		/* Since len == 0 is returned on zero length
-+		 * read or EOF errno needs to be reset before
-+		 * the read
-+		 */
-+		errno = 0;
- 		len = read(sock, buf, (size_t)len);
- 		if (len < 0) {
--			if (errno == EAGAIN)
-+			if (errno == EAGAIN || errno == EWOULDBLOCK)
- 				len = 0;
- 			else
- 				goto fatal_err;
-diff --git a/src/xdr.c b/src/xdr.c
-index b9a1558..28d1382 100644
---- a/src/xdr.c
-+++ b/src/xdr.c
-@@ -877,7 +877,8 @@ xdr_int64_t(xdrs, llp)
- 		if (XDR_GETLONG(xdrs, (long *)&ul[1]) == FALSE)
- 			return (FALSE);
- 		*llp = (int64_t)
--		    (((u_int64_t)ul[0] << 32) | ((u_int64_t)ul[1]));
-+		    (((u_int64_t)ul[0] << 32) |
-+		     ((u_int64_t)(ul[1]) & 0xffffffff));
- 		return (TRUE);
- 	case XDR_FREE:
- 		return (TRUE);
-@@ -910,7 +911,8 @@ xdr_u_int64_t(xdrs, ullp)
- 		if (XDR_GETLONG(xdrs, (long *)&ul[1]) == FALSE)
- 			return (FALSE);
- 		*ullp = (u_int64_t)
--		    (((u_int64_t)ul[0] << 32) | ((u_int64_t)ul[1]));
-+		    (((u_int64_t)ul[0] << 32) |
-+		     ((u_int64_t)(ul[1]) & 0xffffffff));
- 		return (TRUE);
- 	case XDR_FREE:
- 		return (TRUE);
-diff --git a/src/xdr_rec.c b/src/xdr_rec.c
-index 7d535cf..676cc82 100644
---- a/src/xdr_rec.c
-+++ b/src/xdr_rec.c
-@@ -61,6 +61,7 @@
- #include <rpc/svc.h>
- #include <rpc/clnt.h>
- #include <stddef.h>
-+#include <errno.h>
- #include "rpc_com.h"
- static bool_t	xdrrec_getlong(XDR *, long *);
- static bool_t	xdrrec_putlong(XDR *, const long *);
-@@ -537,7 +538,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
- 		n = rstrm->readit(rstrm->tcp_handle, rstrm->in_hdrp,
- 		    (int)sizeof (rstrm->in_header) - rstrm->in_hdrlen);
- 		if (n == 0) {
--			*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
-+			/* EAGAIN or EWOULDBLOCK means a zero length
-+			 * read not an EOF.
-+			 */
-+			if (errno == EAGAIN || errno == EWOULDBLOCK)
-+				*statp = XPRT_IDLE;
-+			else
-+				*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
- 			return FALSE;
- 		}
- 		if (n < 0) {
-@@ -564,6 +571,7 @@ __xdrrec_getrec(xdrs, statp, expectdata)
- 			rstrm->in_header &= ~LAST_FRAG;
- 			rstrm->last_frag = TRUE;
- 		}
-+		rstrm->in_haveheader = 1;
- 	}
- 
- 	n =  rstrm->readit(rstrm->tcp_handle,
-@@ -576,7 +584,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
- 	}
- 
- 	if (n == 0) {
--		*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
-+		/* EAGAIN or EWOULDBLOCK means a zero length
-+		 * read not an EOF.
-+		 */
-+		if (errno == EAGAIN || errno == EWOULDBLOCK)
-+			*statp = XPRT_IDLE;
-+		else
-+			*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
- 		return FALSE;
- 	}
- 
-diff --git a/tirpc/rpc/rpcent.h b/tirpc/rpc/rpcent.h
-index 9d3ef9c..5bff876 100644
---- a/tirpc/rpc/rpcent.h
-+++ b/tirpc/rpc/rpcent.h
-@@ -48,8 +48,9 @@
- extern "C" {
- #endif
- 
--/* These are defined in /usr/include/rpc/netdb.h */
--#if !defined(__GLIBC__) || defined(__UCLIBC__)
-+/* These are defined in /usr/include/rpc/netdb.h, unless we are using
-+   the C library without RPC support. */
-+#if defined(__UCLIBC__) && !defined(__UCLIBC_HAS_RPC__) || !defined(__GLIBC__)
- struct rpcent {
- 	char	*r_name;	/* name of server for this rpc program */
- 	char	**r_aliases;	/* alias list */
diff --git a/libtirpc-1.2.6-rc2.patch b/libtirpc-1.2.6-rc2.patch
deleted file mode 100644
index f80d40f..0000000
--- a/libtirpc-1.2.6-rc2.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-diff --git a/doc/bindresvport.blacklist b/doc/bindresvport.blacklist
-index 8904277..a7ed193 100644
---- a/doc/bindresvport.blacklist
-+++ b/doc/bindresvport.blacklist
-@@ -8,6 +8,7 @@
- 631     # cups
- 636     # ldaps
- 664     # Secure ASF, used by IPMI on some cards
-+774     # rpasswd
- 921     # lwresd
- 993     # imaps
- 995     # pops
-diff --git a/src/rpc_com.h b/src/rpc_com.h
-index 10bec79..76badef 100644
---- a/src/rpc_com.h
-+++ b/src/rpc_com.h
-@@ -61,8 +61,7 @@ void __xprt_unregister_unlocked(SVCXPRT *);
- void __xprt_set_raddr(SVCXPRT *, const struct sockaddr_storage *);
- 
- 
--SVCXPRT **__svc_xports;
--int __svc_maxrec;
-+extern int __svc_maxrec;
- 
- #ifdef __cplusplus
- }
-diff --git a/src/rpc_soc.c b/src/rpc_soc.c
-index ac7d312..fde121d 100644
---- a/src/rpc_soc.c
-+++ b/src/rpc_soc.c
-@@ -613,6 +613,13 @@ authdes_pk_create(servername, pkey, window, syncaddr, ckey)
- 	des_block *ckey;		/* optional conversation key to use */
- { return (NULL); }
- 
-+AUTH *
-+authdes_seccreate(const char *servername, const u_int win,
-+	const char *timehost, const des_block *ckey)
-+{
-+	return (NULL);
-+}
-+
- #endif
- 
- 
-diff --git a/src/svc.c b/src/svc.c
-index b59467b..6db164b 100644
---- a/src/svc.c
-+++ b/src/svc.c
-@@ -57,6 +57,9 @@
- 
- #define max(a, b) (a > b ? a : b)
- 
-+static SVCXPRT **__svc_xports;
-+int __svc_maxrec;
-+
- /*
-  * The services list
-  * Each entry represents a set of procedures (an rpc program).
-diff --git a/src/xdr_float.c b/src/xdr_float.c
-index 26bc865..349d48f 100644
---- a/src/xdr_float.c
-+++ b/src/xdr_float.c
-@@ -83,7 +83,7 @@ static struct sgl_limits {
- };
- #else
- 
--#include <bits/endian.h>
-+#include <endian.h>
- #define IEEEFP
- 
- #endif /* vax */
diff --git a/libtirpc-1.3.3-clnt-raw-ptr.patch b/libtirpc-1.3.3-clnt-raw-ptr.patch
new file mode 100644
index 0000000..0340c61
--- /dev/null
+++ b/libtirpc-1.3.3-clnt-raw-ptr.patch
@@ -0,0 +1,51 @@
+commit 4a2d85c64110ee9e21a8c4f9dafd6b0ae621506d
+Author: Zhi Li <yieli@redhat.com>
+Date:   Fri Oct 28 14:19:04 2022 -0400
+
+    clnt_raw.c: fix a possible null pointer dereference
+    
+    Since clntraw_private could be dereferenced before
+    allocated, protect it by checking its value in advance.
+    
+    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2138317
+    Signed-off-by: Zhi Li <yieli@redhat.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/clnt_raw.c b/src/clnt_raw.c
+index 31f9d0c..03f839d 100644
+--- a/src/clnt_raw.c
++++ b/src/clnt_raw.c
+@@ -142,7 +142,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout)
+ 	struct timeval timeout;
+ {
+ 	struct clntraw_private *clp = clntraw_private;
+-	XDR *xdrs = &clp->xdr_stream;
++	XDR *xdrs;
+ 	struct rpc_msg msg;
+ 	enum clnt_stat status;
+ 	struct rpc_err error;
+@@ -154,6 +154,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout)
+ 		mutex_unlock(&clntraw_lock);
+ 		return (RPC_FAILED);
+ 	}
++	xdrs = &clp->xdr_stream;
+ 	mutex_unlock(&clntraw_lock);
+ 
+ call_again:
+@@ -245,7 +246,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr)
+ 	void *res_ptr;
+ {
+ 	struct clntraw_private *clp = clntraw_private;
+-	XDR *xdrs = &clp->xdr_stream;
++	XDR *xdrs;
+ 	bool_t rval;
+ 
+ 	mutex_lock(&clntraw_lock);
+@@ -254,6 +255,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr)
+ 		mutex_unlock(&clntraw_lock);
+ 		return (rval);
+ 	}
++	xdrs = &clp->xdr_stream;
+ 	mutex_unlock(&clntraw_lock);
+ 	xdrs->x_op = XDR_FREE;
+ 	return ((*xdr_res)(xdrs, res_ptr));
diff --git a/libtirpc.spec b/libtirpc.spec
index 4853abf..7ef110c 100644
--- a/libtirpc.spec
+++ b/libtirpc.spec
@@ -17,6 +17,7 @@ BuildRequires: make
 # RHEL9.2
 #
 Patch001: libtirpc-1.3.3-blacklist-close.patch
+Patch002: libtirpc-1.3.3-clnt-raw-ptr.patch
 
 %description
 This package contains SunLib's implementation of transport-independent
@@ -117,8 +118,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
 %{_mandir}/*/*
 
 %changelog
-* Fri Oct 28 2022 Steve Dickson <steved@redhat.com> - 1.3.3-1
+* Thu Nov 03 2022 Steve Dickson <steved@redhat.com> - 1.3.3-1
 - bindresvport.c: fix a potential resource leakage (bz 2135405)
+- clnt_raw.c: fix a possible null pointer dereference (bz 2138317)
 
 * Mon Aug 15 2022 Steve Dickson <steved@redhat.com> - 1.3.3
 - Rebased to libtirpc-1.3.3 (bz 2118157)