clnt_raw.c: fix a possible null pointer dereference (bz 2138317)

Signed-off-by: Steve Dickson <steved@redhat.com>
Resolves: bz2138317
This commit is contained in:
Steve Dickson 2022-11-03 11:13:36 -04:00
parent b7eff374c6
commit 749c53605d
4 changed files with 54 additions and 489 deletions

View File

@ -1,417 +0,0 @@
diff --git a/man/rpc_secure.3t b/man/rpc_secure.3t
index 4a1ad93..404df0b 100644
--- a/man/rpc_secure.3t
+++ b/man/rpc_secure.3t
@@ -19,7 +19,7 @@
.Ft AUTH *
.Fo authdes_pk_create
.Fa "char *name"
-.FA "netobj *publickey"
+.Fa "netobj *publickey"
.Fa "unsigned window"
.Fa "struct sockaddr *addr"
.Fa "des_block *ckey"
diff --git a/src/Makefile.am b/src/Makefile.am
index 932414d..b40a6b4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -38,7 +38,7 @@ endif
if GSS
libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c \
rpc_gss_utils.c
- libtirpc_la_LDFLAGS += $(GSSAPI_LIBS)
+ libtirpc_la_LIBADD = $(GSSAPI_LIBS)
libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSAPI_CFLAGS)
endif
diff --git a/src/auth_des.c b/src/auth_des.c
index af2f61f..c9af2e9 100644
--- a/src/auth_des.c
+++ b/src/auth_des.c
@@ -396,7 +396,7 @@ authdes_validate(AUTH *auth, struct opaque_auth *rverf)
/*
* validate
*/
- if (bcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp,
+ if (memcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp,
sizeof(struct timeval)) != 0) {
LIBTIRPC_DEBUG(1, ("authdes_validate: verifier mismatch"));
return (FALSE);
diff --git a/src/auth_gss.c b/src/auth_gss.c
index 5959893..7d08262 100644
--- a/src/auth_gss.c
+++ b/src/auth_gss.c
@@ -207,6 +207,7 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec)
rpc_createerr.cf_stat = RPC_SYSTEMERROR;
rpc_createerr.cf_error.re_errno = ENOMEM;
free(auth);
+ free(gd);
return (NULL);
}
}
@@ -592,7 +593,7 @@ _rpc_gss_refresh(AUTH *auth, rpc_gss_options_ret_t *options_ret)
if (rpc_gss_oid_to_mech(actual_mech_type, &mechanism)) {
strncpy(options_ret->actual_mechanism,
mechanism,
- sizeof(options_ret->actual_mechanism));
+ (sizeof(options_ret->actual_mechanism)-1));
}
gd->established = TRUE;
diff --git a/src/auth_time.c b/src/auth_time.c
index 69400bc..936dd76 100644
--- a/src/auth_time.c
+++ b/src/auth_time.c
@@ -104,7 +104,7 @@ static int uaddr_to_sockaddr(uaddr, sin)
p_bytes[1] = (unsigned char)a[5] & 0x000000FF;
sin->sin_family = AF_INET; /* always */
- bcopy((char *)&p_bytes, (char *)&sin->sin_port, 2);
+ memcpy((char *)&sin->sin_port, (char *)&p_bytes, 2);
return (0);
}
diff --git a/src/clnt_bcast.c b/src/clnt_bcast.c
index 98cf061..2ad6c89 100644
--- a/src/clnt_bcast.c
+++ b/src/clnt_bcast.c
@@ -330,6 +330,7 @@ rpc_broadcast_exp(prog, vers, proc, xargs, argsp, xresults, resultsp,
if (nettype == NULL)
nettype = "datagram_n";
if ((handle = __rpc_setconf(nettype)) == NULL) {
+ AUTH_DESTROY(sys_auth);
return (RPC_UNKNOWNPROTO);
}
while ((nconf = __rpc_getconf(handle)) != NULL) {
diff --git a/src/crypt_client.c b/src/crypt_client.c
index f393926..cd6f7de 100644
--- a/src/crypt_client.c
+++ b/src/crypt_client.c
@@ -75,8 +75,8 @@ _des_crypt_call(buf, len, dparms)
des_crypt_1_arg.desbuf.desbuf_val = buf;
des_crypt_1_arg.des_dir = dparms->des_dir;
des_crypt_1_arg.des_mode = dparms->des_mode;
- bcopy(dparms->des_ivec, des_crypt_1_arg.des_ivec, 8);
- bcopy(dparms->des_key, des_crypt_1_arg.des_key, 8);
+ memcpy(des_crypt_1_arg.des_ivec, dparms->des_ivec, 8);
+ memcpy(des_crypt_1_arg.des_key, dparms->des_key, 8);
result_1 = des_crypt_1(&des_crypt_1_arg, clnt);
if (result_1 == (desresp *) NULL) {
@@ -88,8 +88,8 @@ _des_crypt_call(buf, len, dparms)
if (result_1->stat == DESERR_NONE ||
result_1->stat == DESERR_NOHWDEVICE) {
- bcopy(result_1->desbuf.desbuf_val, buf, len);
- bcopy(result_1->des_ivec, dparms->des_ivec, 8);
+ memcpy(buf, result_1->desbuf.desbuf_val, len);
+ memcpy(dparms->des_ivec, result_1->des_ivec, 8);
}
clnt_freeres(clnt, (xdrproc_t)xdr_desresp, result_1);
diff --git a/src/getnetconfig.c b/src/getnetconfig.c
index 92e7c43..cfd33c2 100644
--- a/src/getnetconfig.c
+++ b/src/getnetconfig.c
@@ -681,6 +681,7 @@ struct netconfig *ncp;
{
struct netconfig *p;
char *tmp;
+ char *t;
u_int i;
if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL)
@@ -700,20 +701,21 @@ struct netconfig *ncp;
*/
*p = *ncp;
p->nc_netid = (char *)strcpy(tmp,ncp->nc_netid);
- tmp = strchr(tmp, 0) + 1;
- p->nc_protofmly = (char *)strcpy(tmp,ncp->nc_protofmly);
- tmp = strchr(tmp, 0) + 1;
- p->nc_proto = (char *)strcpy(tmp,ncp->nc_proto);
- tmp = strchr(tmp, 0) + 1;
- p->nc_device = (char *)strcpy(tmp,ncp->nc_device);
+ t = strchr(tmp, 0) + 1;
+ p->nc_protofmly = (char *)strcpy(t,ncp->nc_protofmly);
+ t = strchr(t, 0) + 1;
+ p->nc_proto = (char *)strcpy(t,ncp->nc_proto);
+ t = strchr(t, 0) + 1;
+ p->nc_device = (char *)strcpy(t,ncp->nc_device);
p->nc_lookups = (char **)malloc((size_t)(p->nc_nlookups+1) * sizeof(char *));
if (p->nc_lookups == NULL) {
- free(p->nc_netid);
+ free(p);
+ free(tmp);
return(NULL);
}
for (i=0; i < p->nc_nlookups; i++) {
- tmp = strchr(tmp, 0) + 1;
- p->nc_lookups[i] = (char *)strcpy(tmp,ncp->nc_lookups[i]);
+ t = strchr(t, 0) + 1;
+ p->nc_lookups[i] = (char *)strcpy(t,ncp->nc_lookups[i]);
}
return(p);
}
diff --git a/src/getnetpath.c b/src/getnetpath.c
index 7c19932..ea1a18c 100644
--- a/src/getnetpath.c
+++ b/src/getnetpath.c
@@ -88,6 +88,7 @@ setnetpath()
}
if ((np_sessionp->nc_handlep = setnetconfig()) == NULL) {
syslog (LOG_ERR, "rpc: failed to open " NETCONFIG);
+ free(np_sessionp);
return (NULL);
}
np_sessionp->valid = NP_VALID;
diff --git a/src/getpublickey.c b/src/getpublickey.c
index 8cf4dc2..be37a24 100644
--- a/src/getpublickey.c
+++ b/src/getpublickey.c
@@ -74,7 +74,7 @@ __getpublickey_real(netname, publickey)
return (0);
}
*p = '\0';
- (void) strncpy(publickey, lookup, HEXKEYBYTES);
+ memcpy(publickey, lookup, HEXKEYBYTES);
publickey[HEXKEYBYTES] = '\0';
return (1);
}
diff --git a/src/getrpcent.c b/src/getrpcent.c
index cba4cd8..e49dc05 100644
--- a/src/getrpcent.c
+++ b/src/getrpcent.c
@@ -100,7 +100,7 @@ _rpcdata()
return (d);
}
-#if !HAVE_GETRPCBYNYMBER
+#if !HAVE_GETRPCBYNUMBER
struct rpcent *
getrpcbynumber(number)
int number;
diff --git a/src/rpc_generic.c b/src/rpc_generic.c
index 589cbd5..51f36ac 100644
--- a/src/rpc_generic.c
+++ b/src/rpc_generic.c
@@ -319,6 +319,7 @@ __rpc_setconf(nettype)
handle->nflag = FALSE;
break;
default:
+ free(handle);
return (NULL);
}
diff --git a/src/rpc_soc.c b/src/rpc_soc.c
index 5a6eeb7..a85cb17 100644
--- a/src/rpc_soc.c
+++ b/src/rpc_soc.c
@@ -663,15 +663,17 @@ svcunix_create(sock, sendsize, recvsize, path)
strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
break;
}
- if (nconf == NULL)
+ if (nconf == NULL) {
+ endnetconfig(localhandle);
return(xprt);
+ }
if ((sock = __rpc_nconf2fd(nconf)) < 0)
goto done;
memset(&sun, 0, sizeof sun);
sun.sun_family = AF_LOCAL;
- strncpy(sun.sun_path, path, sizeof(sun.sun_path));
+ strncpy(sun.sun_path, path, (sizeof(sun.sun_path)-1));
addrlen = sizeof(struct sockaddr_un);
sa = (struct sockaddr *)&sun;
@@ -692,6 +694,8 @@ svcunix_create(sock, sendsize, recvsize, path)
}
xprt = (SVCXPRT *)svc_tli_create(sock, nconf, &taddr, sendsize, recvsize);
+ if (xprt == NULL)
+ close(sock);
done:
endnetconfig(localhandle);
diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
index e45736a..0c34cb7 100644
--- a/src/rpcb_clnt.c
+++ b/src/rpcb_clnt.c
@@ -547,6 +547,7 @@ try_nconf:
if (tmpnconf == NULL) {
rpc_createerr.cf_stat = RPC_UNKNOWNPROTO;
mutex_unlock(&loopnconf_lock);
+ endnetconfig(nc_handle);
return (NULL);
}
loopnconf = getnetconfigent(tmpnconf->nc_netid);
diff --git a/src/rtime.c b/src/rtime.c
index b642840..29fbf0a 100644
--- a/src/rtime.c
+++ b/src/rtime.c
@@ -90,6 +90,7 @@ rtime(addrp, timep, timeout)
/* TCP and UDP port are the same in this case */
if ((serv = getservbyname("time", "tcp")) == NULL) {
+ do_close(s);
return(-1);
}
diff --git a/src/svc_auth_des.c b/src/svc_auth_des.c
index 19a7c60..b096e08 100644
--- a/src/svc_auth_des.c
+++ b/src/svc_auth_des.c
@@ -145,7 +145,7 @@ _svcauth_des(rqst, msg)
return (AUTH_BADCRED);
}
cred->adc_fullname.name = area->area_netname;
- bcopy((char *)ixdr, cred->adc_fullname.name,
+ memcpy(cred->adc_fullname.name, (char *)ixdr,
(u_int)namelen);
cred->adc_fullname.name[namelen] = 0;
ixdr += (RNDUP(namelen) / BYTES_PER_XDR_UNIT);
@@ -419,7 +419,7 @@ cache_spot(key, name, timestamp)
if (cp->key.key.high == hi &&
cp->key.key.low == key->key.low &&
cp->rname != NULL &&
- bcmp(cp->rname, name, strlen(name) + 1) == 0) {
+ memcmp(cp->rname, name, strlen(name) + 1) == 0) {
if (BEFORE(timestamp, &cp->laststamp)) {
svcauthdes_stats.ncachereplays++;
return (-1); /* replay */
diff --git a/src/svc_generic.c b/src/svc_generic.c
index 52a56c2..20abaa2 100644
--- a/src/svc_generic.c
+++ b/src/svc_generic.c
@@ -113,6 +113,7 @@ svc_create(dispatch, prognum, versnum, nettype)
if (l == NULL) {
warnx("svc_create: no memory");
mutex_unlock(&xprtlist_lock);
+ __rpc_endconf(handle);
return (0);
}
l->xprt = xprt;
diff --git a/src/svc_simple.c b/src/svc_simple.c
index cb58002..c32fe0a 100644
--- a/src/svc_simple.c
+++ b/src/svc_simple.c
@@ -157,6 +157,7 @@ rpc_reg(prognum, versnum, procnum, progname, inproc, outproc, nettype)
((netid = strdup(nconf->nc_netid)) == NULL)) {
warnx(rpc_reg_err, rpc_reg_msg, __no_mem_str);
SVC_DESTROY(svcxprt);
+ free(xdrbuf);
break;
}
madenow = TRUE;
diff --git a/src/svc_vc.c b/src/svc_vc.c
index 97a76a3..c23cd36 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -502,9 +502,14 @@ read_vc(xprtp, buf, len)
cfp = (struct cf_conn *)xprt->xp_p1;
if (cfp->nonblock) {
+ /* Since len == 0 is returned on zero length
+ * read or EOF errno needs to be reset before
+ * the read
+ */
+ errno = 0;
len = read(sock, buf, (size_t)len);
if (len < 0) {
- if (errno == EAGAIN)
+ if (errno == EAGAIN || errno == EWOULDBLOCK)
len = 0;
else
goto fatal_err;
diff --git a/src/xdr.c b/src/xdr.c
index b9a1558..28d1382 100644
--- a/src/xdr.c
+++ b/src/xdr.c
@@ -877,7 +877,8 @@ xdr_int64_t(xdrs, llp)
if (XDR_GETLONG(xdrs, (long *)&ul[1]) == FALSE)
return (FALSE);
*llp = (int64_t)
- (((u_int64_t)ul[0] << 32) | ((u_int64_t)ul[1]));
+ (((u_int64_t)ul[0] << 32) |
+ ((u_int64_t)(ul[1]) & 0xffffffff));
return (TRUE);
case XDR_FREE:
return (TRUE);
@@ -910,7 +911,8 @@ xdr_u_int64_t(xdrs, ullp)
if (XDR_GETLONG(xdrs, (long *)&ul[1]) == FALSE)
return (FALSE);
*ullp = (u_int64_t)
- (((u_int64_t)ul[0] << 32) | ((u_int64_t)ul[1]));
+ (((u_int64_t)ul[0] << 32) |
+ ((u_int64_t)(ul[1]) & 0xffffffff));
return (TRUE);
case XDR_FREE:
return (TRUE);
diff --git a/src/xdr_rec.c b/src/xdr_rec.c
index 7d535cf..676cc82 100644
--- a/src/xdr_rec.c
+++ b/src/xdr_rec.c
@@ -61,6 +61,7 @@
#include <rpc/svc.h>
#include <rpc/clnt.h>
#include <stddef.h>
+#include <errno.h>
#include "rpc_com.h"
static bool_t xdrrec_getlong(XDR *, long *);
static bool_t xdrrec_putlong(XDR *, const long *);
@@ -537,7 +538,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
n = rstrm->readit(rstrm->tcp_handle, rstrm->in_hdrp,
(int)sizeof (rstrm->in_header) - rstrm->in_hdrlen);
if (n == 0) {
- *statp = expectdata ? XPRT_DIED : XPRT_IDLE;
+ /* EAGAIN or EWOULDBLOCK means a zero length
+ * read not an EOF.
+ */
+ if (errno == EAGAIN || errno == EWOULDBLOCK)
+ *statp = XPRT_IDLE;
+ else
+ *statp = expectdata ? XPRT_DIED : XPRT_IDLE;
return FALSE;
}
if (n < 0) {
@@ -564,6 +571,7 @@ __xdrrec_getrec(xdrs, statp, expectdata)
rstrm->in_header &= ~LAST_FRAG;
rstrm->last_frag = TRUE;
}
+ rstrm->in_haveheader = 1;
}
n = rstrm->readit(rstrm->tcp_handle,
@@ -576,7 +584,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
}
if (n == 0) {
- *statp = expectdata ? XPRT_DIED : XPRT_IDLE;
+ /* EAGAIN or EWOULDBLOCK means a zero length
+ * read not an EOF.
+ */
+ if (errno == EAGAIN || errno == EWOULDBLOCK)
+ *statp = XPRT_IDLE;
+ else
+ *statp = expectdata ? XPRT_DIED : XPRT_IDLE;
return FALSE;
}
diff --git a/tirpc/rpc/rpcent.h b/tirpc/rpc/rpcent.h
index 9d3ef9c..5bff876 100644
--- a/tirpc/rpc/rpcent.h
+++ b/tirpc/rpc/rpcent.h
@@ -48,8 +48,9 @@
extern "C" {
#endif
-/* These are defined in /usr/include/rpc/netdb.h */
-#if !defined(__GLIBC__) || defined(__UCLIBC__)
+/* These are defined in /usr/include/rpc/netdb.h, unless we are using
+ the C library without RPC support. */
+#if defined(__UCLIBC__) && !defined(__UCLIBC_HAS_RPC__) || !defined(__GLIBC__)
struct rpcent {
char *r_name; /* name of server for this rpc program */
char **r_aliases; /* alias list */

View File

@ -1,71 +0,0 @@
diff --git a/doc/bindresvport.blacklist b/doc/bindresvport.blacklist
index 8904277..a7ed193 100644
--- a/doc/bindresvport.blacklist
+++ b/doc/bindresvport.blacklist
@@ -8,6 +8,7 @@
631 # cups
636 # ldaps
664 # Secure ASF, used by IPMI on some cards
+774 # rpasswd
921 # lwresd
993 # imaps
995 # pops
diff --git a/src/rpc_com.h b/src/rpc_com.h
index 10bec79..76badef 100644
--- a/src/rpc_com.h
+++ b/src/rpc_com.h
@@ -61,8 +61,7 @@ void __xprt_unregister_unlocked(SVCXPRT *);
void __xprt_set_raddr(SVCXPRT *, const struct sockaddr_storage *);
-SVCXPRT **__svc_xports;
-int __svc_maxrec;
+extern int __svc_maxrec;
#ifdef __cplusplus
}
diff --git a/src/rpc_soc.c b/src/rpc_soc.c
index ac7d312..fde121d 100644
--- a/src/rpc_soc.c
+++ b/src/rpc_soc.c
@@ -613,6 +613,13 @@ authdes_pk_create(servername, pkey, window, syncaddr, ckey)
des_block *ckey; /* optional conversation key to use */
{ return (NULL); }
+AUTH *
+authdes_seccreate(const char *servername, const u_int win,
+ const char *timehost, const des_block *ckey)
+{
+ return (NULL);
+}
+
#endif
diff --git a/src/svc.c b/src/svc.c
index b59467b..6db164b 100644
--- a/src/svc.c
+++ b/src/svc.c
@@ -57,6 +57,9 @@
#define max(a, b) (a > b ? a : b)
+static SVCXPRT **__svc_xports;
+int __svc_maxrec;
+
/*
* The services list
* Each entry represents a set of procedures (an rpc program).
diff --git a/src/xdr_float.c b/src/xdr_float.c
index 26bc865..349d48f 100644
--- a/src/xdr_float.c
+++ b/src/xdr_float.c
@@ -83,7 +83,7 @@ static struct sgl_limits {
};
#else
-#include <bits/endian.h>
+#include <endian.h>
#define IEEEFP
#endif /* vax */

View File

@ -0,0 +1,51 @@
commit 4a2d85c64110ee9e21a8c4f9dafd6b0ae621506d
Author: Zhi Li <yieli@redhat.com>
Date: Fri Oct 28 14:19:04 2022 -0400
clnt_raw.c: fix a possible null pointer dereference
Since clntraw_private could be dereferenced before
allocated, protect it by checking its value in advance.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2138317
Signed-off-by: Zhi Li <yieli@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/clnt_raw.c b/src/clnt_raw.c
index 31f9d0c..03f839d 100644
--- a/src/clnt_raw.c
+++ b/src/clnt_raw.c
@@ -142,7 +142,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout)
struct timeval timeout;
{
struct clntraw_private *clp = clntraw_private;
- XDR *xdrs = &clp->xdr_stream;
+ XDR *xdrs;
struct rpc_msg msg;
enum clnt_stat status;
struct rpc_err error;
@@ -154,6 +154,7 @@ clnt_raw_call(h, proc, xargs, argsp, xresults, resultsp, timeout)
mutex_unlock(&clntraw_lock);
return (RPC_FAILED);
}
+ xdrs = &clp->xdr_stream;
mutex_unlock(&clntraw_lock);
call_again:
@@ -245,7 +246,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr)
void *res_ptr;
{
struct clntraw_private *clp = clntraw_private;
- XDR *xdrs = &clp->xdr_stream;
+ XDR *xdrs;
bool_t rval;
mutex_lock(&clntraw_lock);
@@ -254,6 +255,7 @@ clnt_raw_freeres(cl, xdr_res, res_ptr)
mutex_unlock(&clntraw_lock);
return (rval);
}
+ xdrs = &clp->xdr_stream;
mutex_unlock(&clntraw_lock);
xdrs->x_op = XDR_FREE;
return ((*xdr_res)(xdrs, res_ptr));

View File

@ -17,6 +17,7 @@ BuildRequires: make
# RHEL9.2 # RHEL9.2
# #
Patch001: libtirpc-1.3.3-blacklist-close.patch Patch001: libtirpc-1.3.3-blacklist-close.patch
Patch002: libtirpc-1.3.3-clnt-raw-ptr.patch
%description %description
This package contains SunLib's implementation of transport-independent This package contains SunLib's implementation of transport-independent
@ -117,8 +118,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Fri Oct 28 2022 Steve Dickson <steved@redhat.com> - 1.3.3-1 * Thu Nov 03 2022 Steve Dickson <steved@redhat.com> - 1.3.3-1
- bindresvport.c: fix a potential resource leakage (bz 2135405) - bindresvport.c: fix a potential resource leakage (bz 2135405)
- clnt_raw.c: fix a possible null pointer dereference (bz 2138317)
* Mon Aug 15 2022 Steve Dickson <steved@redhat.com> - 1.3.3 * Mon Aug 15 2022 Steve Dickson <steved@redhat.com> - 1.3.3
- Rebased to libtirpc-1.3.3 (bz 2118157) - Rebased to libtirpc-1.3.3 (bz 2118157)