>Number:         13450
>Category:       bin
>Synopsis:       rpcbind crashes by request from client from non-local ip-network
>Confidential:   yes
>Severity:       critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 12 03:19:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Alexandre Bezroutchko
>Release:        NetBSD-1.5 <NetBSD-current source date>
>Organization:
NUMECA International
>Environment:
System: NetBSD nis.numeca.be 1.5 NetBSD 1.5 (GENERIC) #1: Sun Nov 19 21:42:11 MET 2000 fvdl@sushi:/work/trees/netbsd-1-5/sys/arch/i386/compile/GENERIC i386

NIS client: SunOS fermat 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-5_10

>Description:

I have standard NetBSD-1.5 installation with rpcbind & ypserv enabled.
Rpcbind gets segmentation fault when accessed from Solaris 2.6 (Sparc) client.
Client and server computer are on different IP networks (sharing same ethernet segment).

I think the bug is critical because can be used for DoS attack.

>How-To-Repeat:

On NetBSD launch 'rpcbind -d' and 'ypserf -f -l'.
On Solaris run 'rpcinfo -p nis' or 'ypwhich' and see rpcbind crashed.

>Fix:
	Workaround is put both computers on the same network.

	The problem is rpcbind does not initialize 'tbuf' structure (util.c:117)
	if interface is not found in loop at lines 162-244. The structure is used
	anyway at line 269.

>Release-Note:
>Audit-Trail:
>Unformatted: