From 646a5c1cbfd95873950a87b5f75d52073a967023 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 28 May 2018 19:12:29 +0000 Subject: Mon May 28 19:12:29 UTC 2018 a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded. --- ...Fix-memory-corruption-in-PMAP_CALLIT-code.patch | 82 ---------------------- 1 file changed, 82 deletions(-) delete mode 100644 source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch (limited to 'source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch') diff --git a/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch b/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch deleted file mode 100644 index 6a80742f..00000000 --- a/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001 -From: Olaf Kirch -Date: Fri, 30 Oct 2015 10:18:20 -0400 -Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code - - - A PMAP_CALLIT call comes in on IPv4 UDP - - rpcbind duplicates the caller's address to a netbuf and stores it in - FINFO[0].caller_addr. caller_addr->buf now points to a memory region A - with a size of 16 bytes - - rpcbind forwards the call to the local service, receives a reply - - when processing the reply, it does this in xprt_set_caller: - xprt->xp_rtaddr = *FINFO[0].caller_addr - It sends out the reply, and then frees the netbuf caller_addr and - caller_addr.buf. - However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers - to memory region A, which is free. - - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will - be called, which will set xp_rtaddr to the client's address. - It will reuse the buffer inside xp_rtaddr, ie it will write a - sockaddr_in to region A - -Some time down the road, an incoming TCP connection is accepted, -allocating a fresh SVCXPRT. The memory region A is inside the -new SVCXPRT - - - While processing the TCP call, another UDP call comes in, again - overwriting region A with the client's address - - TCP client closes connection. In svc_destroy, we now trip over - the garbage left in region A - -We ran into the case where a commercial scanner was triggering -occasional rpcbind segfaults. The core file that was captured showed -a corrupted xprt->xp_netid pointer that was really a sockaddr_in. - -Signed-off-by: Olaf Kirch -Signed-off-by: Steve Dickson ---- - src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index ff9ce6b..4ae93f1 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds) - return (ncallbacks_found); - } - -+/* -+ * This is really a helper function defined in libtirpc, -+ * but unfortunately, it hasn't been exported yet. -+ */ -+static struct netbuf * -+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) -+{ -+ if (nb->len != len) { -+ if (nb->len) -+ mem_free(nb->buf, nb->len); -+ nb->buf = mem_alloc(len); -+ if (nb->buf == NULL) -+ return NULL; -+ -+ nb->maxlen = nb->len = len; -+ } -+ memcpy(nb->buf, ptr, len); -+ return nb; -+} -+ - static void - xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) - { -+ const struct netbuf *caller = fi->caller_addr; - u_int32_t *xidp; - -- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); -+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); - xidp = __rpcb_get_dg_xidp(xprt); - *xidp = fi->caller_xid; - } --- -2.6.4 - -- cgit v1.2.3