Subject: bin/10321: rpcbind's security check is broken
To: None <gnats-bugs@gnats.netbsd.org>
From: IWAMOTO Toshihiro <iwamoto@sat.t.u-tokyo.ac.jp>
List: netbsd-bugs
Date: 06/08/2000 00:51:14
>Number: 10321
>Category: bin
>Synopsis: rpcbind's security check is broken
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jun 08 00:52:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:
>Release: NetBSD 1.4ZA
>Organization:
>Environment:
System: NetBSD een.sat.t.u-tokyo.ac.jp 1.4ZA NetBSD 1.4ZA (EEN) #13: Wed Jun 7 14:13:27 JST 2000 iwamoto@een.sat.t.u-tokyo.ac.jp:/usr/src/syssrc/sys/arch/i386/compile/EEN i386
>Description:
rpcbind(8) says that local TCP/UDP requests are accepted with "-L",
but this does not happen because of a coding mistake.
>How-To-Repeat:
Try to run old rpc programs without installing new libc.so.
>Fix:
Apply the following patch.
cvs diff: Diffing usr.sbin/rpcbind
Index: usr.sbin/rpcbind/security.c
===================================================================
RCS file: /public/dpt/NetBSD/NetBSD-CVS/basesrc/usr.sbin/rpcbind/security.c,v
retrieving revision 1.3
diff -u -r1.3 security.c
--- usr.sbin/rpcbind/security.c 2000/06/04 12:06:44 1.3
+++ usr.sbin/rpcbind/security.c 2000/06/07 05:19:46
@@ -134,14 +134,14 @@
return 0;
sin = (struct sockaddr_in *)addr;
return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
- (sin->sin_port < IPPORT_RESERVED));
+ (ntohs(sin->sin_port) < IPPORT_RESERVED));
#ifdef INET6
case AF_INET6:
if (!oldstyle_local)
return 0;
sin6 = (struct sockaddr_in6 *)addr;
return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
- (sin6->sin6_port < IPPORT_RESERVED));
+ (ntohs(sin6->sin6_port) < IPPORT_RESERVED));
#endif
case AF_LOCAL:
return 1;
>Release-Note:
>Audit-Trail:
>Unformatted: