Fixed stack buffer overflow in rpcinfo (bz 1637562)

Signed-off-by: Steve Dickson <steved@redhat.com>
2018-10-09 10:07:32 -04:00 · 2018-10-09 10:07:32 -04:00 · aa31180791
commit aa31180791
parent ce8c000bb1
2 changed files with 72 additions and 1 deletions
--- a/rpcbind-1.2.5-rpcinfo-bufoverflow.patch
+++ b/rpcbind-1.2.5-rpcinfo-bufoverflow.patch
@ -0,0 +1,64 @@
+commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0
+Author: Steve Dickson <steved@redhat.com>
+Date:   Tue Oct 9 09:19:50 2018 -0400
+
+    rpcinfo: Fix stack buffer overflow
+    
+    *** buffer overflow detected ***: rpcinfo terminated
+    ======= Backtrace: =========
+    /lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
+    /lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
+    /lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
+    rpcinfo(+0x435f)[0xef3be2635f]
+    rpcinfo(+0x1c62)[0xef3be23c62]
+    /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
+    rpcinfo(+0x2739)[0xef3be24739]
+    ======= Memory map: ========
+    ...
+    The patch below fixes it.
+    
+    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+    Signed-off-by: Thomas Blume <thomas.blume@suse.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/rpcinfo.c b/src/rpcinfo.c
+index 9b46864..cfdba88 100644
+--- a/src/rpcinfo.c
+++ b/src/rpcinfo.c
+@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	("   program version(s) netid(s)                         service     owner\n");
+       for (rs = rs_head; rs; rs = rs->next)
+ 	{
+	  size_t netidmax = sizeof(buf) - 1;
+ 	  char *p = buf;
+ 
+ 	  printf ("%10ld  ", rs->prog);
+@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	    }
+ 	  printf ("%-10s", buf);
+ 	  buf[0] = '\0';
+-	  for (nl = rs->nlist; nl; nl = nl->next)
+-	    {
+-	      strcat (buf, nl->netid);
+-	      if (nl->next)
+-		strcat (buf, ",");
+-	    }
+
+          for (nl = rs->nlist; nl; nl = nl->next)
+            {
+              strncat (buf, nl->netid, netidmax);
+              if (strlen (nl->netid) < netidmax)
+                netidmax -= strlen(nl->netid);
+              else
+                break;
+
+              if (nl->next && netidmax > 1)
+                {
+                  strncat (buf, ",", netidmax);
+                  netidmax --;
+                }
+            }
+
+ 	  printf ("%-32s", buf);
+ 	  rpc = getrpcbynumber (rs->prog);
+ 	  if (rpc)
--- a/rpcbind.spec
+++ b/rpcbind.spec
@ -4,7 +4,7 @@

 Name:           rpcbind
 Version:        1.2.5
-Release:        0%{?dist}
+Release:        1%{?dist}
 Summary:        Universal Addresses to RPC Program Number Mapper
 Group:          System Environment/Daemons
 License:        BSD
@ -22,6 +22,8 @@ Requires(post): chkconfig systemd
 Requires(preun): systemd
 Requires(postun): systemd coreutils

+Patch001: rpcbind-1.2.5-rpcinfo-bufoverflow.patch
+
 Patch100: rpcbind-0.2.3-systemd-envfile.patch
 Patch101: rpcbind-0.2.3-systemd-tmpfiles.patch
 Patch102: rpcbind-0.2.4-runstatdir.patch
@ -38,6 +40,8 @@ RPC calls on a server on that machine.

 %prep
 %setup -q
+# 1637562 - rpcinfo: Fix stack buffer overflow
+%patch001 -p1

 %patch100 -p1
 %patch101 -p1
@ -124,6 +128,9 @@ fi
 %attr(0700, %{rpcbind_user_group}, %{rpcbind_user_group}) %dir %{rpcbind_state_dir}

 %changelog
+* Tue Oct  9 2018 Steve Dickson <steved@redhat.com> - 1.2.5-1
+- Fixed stack buffer overflow in rpcinfo (bz 1637562)
+
 * Wed Aug 15 2018 Steve Dickson <steved@redhat.com> - 1.2.5-0
 - Updated to latest upstream release: 1_2_5