From aa311807910a0593ddf7b4ed3746a43742cebcc4 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Tue, 9 Oct 2018 10:07:32 -0400
Subject: [PATCH] Fixed stack buffer overflow in rpcinfo (bz 1637562)

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 rpcbind-1.2.5-rpcinfo-bufoverflow.patch | 64 +++++++++++++++++++++++++
 rpcbind.spec                            |  9 +++-
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 rpcbind-1.2.5-rpcinfo-bufoverflow.patch

diff --git a/rpcbind-1.2.5-rpcinfo-bufoverflow.patch b/rpcbind-1.2.5-rpcinfo-bufoverflow.patch
new file mode 100644
index 0000000..e9cd522
--- /dev/null
+++ b/rpcbind-1.2.5-rpcinfo-bufoverflow.patch
@@ -0,0 +1,64 @@
+commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0
+Author: Steve Dickson <steved@redhat.com>
+Date:   Tue Oct 9 09:19:50 2018 -0400
+
+    rpcinfo: Fix stack buffer overflow
+    
+    *** buffer overflow detected ***: rpcinfo terminated
+    ======= Backtrace: =========
+    /lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
+    /lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
+    /lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
+    rpcinfo(+0x435f)[0xef3be2635f]
+    rpcinfo(+0x1c62)[0xef3be23c62]
+    /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
+    rpcinfo(+0x2739)[0xef3be24739]
+    ======= Memory map: ========
+    ...
+    The patch below fixes it.
+    
+    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+    Signed-off-by: Thomas Blume <thomas.blume@suse.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/rpcinfo.c b/src/rpcinfo.c
+index 9b46864..cfdba88 100644
+--- a/src/rpcinfo.c
++++ b/src/rpcinfo.c
+@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	("   program version(s) netid(s)                         service     owner\n");
+       for (rs = rs_head; rs; rs = rs->next)
+ 	{
++	  size_t netidmax = sizeof(buf) - 1;
+ 	  char *p = buf;
+ 
+ 	  printf ("%10ld  ", rs->prog);
+@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	    }
+ 	  printf ("%-10s", buf);
+ 	  buf[0] = '\0';
+-	  for (nl = rs->nlist; nl; nl = nl->next)
+-	    {
+-	      strcat (buf, nl->netid);
+-	      if (nl->next)
+-		strcat (buf, ",");
+-	    }
++
++          for (nl = rs->nlist; nl; nl = nl->next)
++            {
++              strncat (buf, nl->netid, netidmax);
++              if (strlen (nl->netid) < netidmax)
++                netidmax -= strlen(nl->netid);
++              else
++                break;
++
++              if (nl->next && netidmax > 1)
++                {
++                  strncat (buf, ",", netidmax);
++                  netidmax --;
++                }
++            }
++
+ 	  printf ("%-32s", buf);
+ 	  rpc = getrpcbynumber (rs->prog);
+ 	  if (rpc)
diff --git a/rpcbind.spec b/rpcbind.spec
index 9158870..d9041e2 100644
--- a/rpcbind.spec
+++ b/rpcbind.spec
@@ -4,7 +4,7 @@
 
 Name:           rpcbind
 Version:        1.2.5
-Release:        0%{?dist}
+Release:        1%{?dist}
 Summary:        Universal Addresses to RPC Program Number Mapper
 Group:          System Environment/Daemons
 License:        BSD
@@ -22,6 +22,8 @@ Requires(post): chkconfig systemd
 Requires(preun): systemd
 Requires(postun): systemd coreutils
 
+Patch001: rpcbind-1.2.5-rpcinfo-bufoverflow.patch
+
 Patch100: rpcbind-0.2.3-systemd-envfile.patch
 Patch101: rpcbind-0.2.3-systemd-tmpfiles.patch
 Patch102: rpcbind-0.2.4-runstatdir.patch
@@ -38,6 +40,8 @@ RPC calls on a server on that machine.
 
 %prep
 %setup -q
+# 1637562 - rpcinfo: Fix stack buffer overflow
+%patch001 -p1
 
 %patch100 -p1
 %patch101 -p1
@@ -124,6 +128,9 @@ fi
 %attr(0700, %{rpcbind_user_group}, %{rpcbind_user_group}) %dir %{rpcbind_state_dir}
 
 %changelog
+* Tue Oct  9 2018 Steve Dickson <steved@redhat.com> - 1.2.5-1
+- Fixed stack buffer overflow in rpcinfo (bz 1637562)
+
 * Wed Aug 15 2018 Steve Dickson <steved@redhat.com> - 1.2.5-0
 - Updated to latest upstream release: 1_2_5