Fix for CVE-2017-8779 (bz 1448127)

Signed-off-by: Steve Dickson <steved@redhat.com>
This commit is contained in:
Steve Dickson 2017-05-17 11:05:03 -04:00
parent f7fe76161e
commit 9a5d1d2d14
2 changed files with 269 additions and 1 deletions

View File

@ -0,0 +1,263 @@
commit dd9c7cf4f8f375c6d641b760d124650c418c2ce3
Author: Guido Vranken <guidovranken@gmail.com>
Date: Mon May 15 11:12:21 2017 -0400
Fix for CVE-2017-8779
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/rpc_generic.c b/src/rpc_generic.c
index 2f09a8f..589cbd5 100644
--- a/src/rpc_generic.c
+++ b/src/rpc_generic.c
@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
switch (af) {
case AF_INET:
+ if (nbuf->len < sizeof(*sin)) {
+ return NULL;
+ }
sin = nbuf->buf;
if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
== NULL)
@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
break;
#ifdef INET6
case AF_INET6:
+ if (nbuf->len < sizeof(*sin6)) {
+ return NULL;
+ }
sin6 = nbuf->buf;
if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
== NULL)
@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
port = 0;
sin = NULL;
+ if (uaddr == NULL)
+ return NULL;
addrstr = strdup(uaddr);
if (addrstr == NULL)
return NULL;
diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
index 43fd385..a923c8e 100644
--- a/src/rpcb_prot.c
+++ b/src/rpcb_prot.c
@@ -41,6 +41,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <rpc/rpcb_prot.h>
+#include "rpc_com.h"
bool_t
xdr_rpcb(xdrs, objp)
@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
return (FALSE);
}
return (TRUE);
@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
XDR *xdrs;
rpcb_entry *objp;
{
- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
return (FALSE);
}
return (TRUE);
@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
bool_t dummy;
struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_u_int(xdrs, &objp->results.results_len)) {
@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
return (FALSE);
}
+
+ if (objp->maxlen > RPC_MAXDATASIZE) {
+ return (FALSE);
+ }
+
dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
(u_int *)&(objp->len), objp->maxlen);
return (dummy);
diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
index 08db745..28e6a48 100644
--- a/src/rpcb_st_xdr.c
+++ b/src/rpcb_st_xdr.c
@@ -37,6 +37,7 @@
#include <rpc/rpc.h>
+#include "rpc_com.h"
/* Link list of all the stats about getport and getaddr */
@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
if (!xdr_int(xdrs, &objp->failure)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
IXDR_PUT_INT32(buf, objp->failure);
IXDR_PUT_INT32(buf, objp->indirect);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,
@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
objp->failure = (int)IXDR_GET_INT32(buf);
objp->indirect = (int)IXDR_GET_INT32(buf);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,
@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
if (!xdr_int(xdrs, &objp->indirect)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,
diff --git a/src/xdr.c b/src/xdr.c
index f3fb9ad..b9a1558 100644
--- a/src/xdr.c
+++ b/src/xdr.c
@@ -42,8 +42,10 @@
#include <stdlib.h>
#include <string.h>
+#include <rpc/rpc.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
+#include <rpc/rpc_com.h>
typedef quad_t longlong_t; /* ANSI long long type */
typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
*/
#define XDR_FALSE ((long) 0)
#define XDR_TRUE ((long) 1)
-#define LASTUNSIGNED ((u_int) 0-1)
/*
* for unit alignment
@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
{
char *sp = *cpp; /* sp is the actual string pointer */
u_int nodesize;
+ bool_t ret, allocated = FALSE;
/*
* first deal with the length since xdr bytes are counted
@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
}
if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
+ allocated = TRUE;
}
if (sp == NULL) {
warnx("xdr_bytes: out of memory");
@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
/* FALLTHROUGH */
case XDR_ENCODE:
- return (xdr_opaque(xdrs, sp, nodesize));
+ ret = xdr_opaque(xdrs, sp, nodesize);
+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+ if (allocated == TRUE) {
+ free(sp);
+ *cpp = NULL;
+ }
+ }
+ return (ret);
case XDR_FREE:
if (sp != NULL) {
@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
char *sp = *cpp; /* sp is the actual string pointer */
u_int size;
u_int nodesize;
+ bool_t ret, allocated = FALSE;
/*
* first deal with the length since xdr strings are counted-strings
@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
switch (xdrs->x_op) {
case XDR_DECODE:
- if (sp == NULL)
+ if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
+ allocated = TRUE;
+ }
if (sp == NULL) {
warnx("xdr_string: out of memory");
return (FALSE);
@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
/* FALLTHROUGH */
case XDR_ENCODE:
- return (xdr_opaque(xdrs, sp, size));
+ ret = xdr_opaque(xdrs, sp, size);
+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+ if (allocated == TRUE) {
+ free(sp);
+ *cpp = NULL;
+ }
+ }
+ return (ret);
case XDR_FREE:
mem_free(sp, nodesize);
@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
XDR *xdrs;
char **cpp;
{
- return xdr_string(xdrs, cpp, LASTUNSIGNED);
+ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
}
/*

View File

@ -2,7 +2,7 @@
Name: libtirpc
Version: 1.0.1
Release: 3.rc3%{?dist}.1
Release: 4.rc3%{?dist}
Summary: Transport Independent RPC Library
Group: System Environment/Libraries
License: SISSL and BSD
@ -11,6 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Source0: http://downloads.sourceforge.net/libtirpc/libtirpc-%{version}.tar.bz2
Patch001: libtirpc-1.0.2-rc3.patch
Patch002: libtirpc-1.0.2-CVE-2017-8779.patch
BuildRequires: automake, autoconf, libtool, pkgconfig
BuildRequires: krb5-devel
@ -42,6 +43,7 @@ developing programs which use the tirpc library.
%setup -q
%patch001 -p1
%patch002 -p1
# Remove .orig files
find . -name "*.orig" | xargs rm -f
@ -135,6 +137,9 @@ rm -rf %{buildroot}
%{_mandir}/*/*
%changelog
* Mon May 15 2017 Steve Dickson <steved@redhat.com> 1.0.1-4.rc3
- Fix for CVE-2017-8779 (bz 1448127)
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.1-3.rc3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild