Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libc/rpc - limit size of buffers to RPC_MAXDATASIZE
details: https://anonhg.NetBSD.org/src/rev/31720b20bada
branches: trunk
changeset: 823708:31720b20bada
user: christos <christos%NetBSD.org@localhost>
date: Wed May 03 21:39:27 2017 +0000
description:
- limit size of buffers to RPC_MAXDATASIZE
- don't leak memory
- be more picky about bad parameters
https://raw.githubusercontent.com/guidovranken/rpcbomb/master/libtirpc_patch.txt
XXX: pullup-7
diffstat:
lib/libc/rpc/rpc_generic.c | 13 ++++++++++---
lib/libc/rpc/rpcb_prot.c | 26 ++++++++++++++++----------
lib/libc/rpc/rpcb_st_xdr.c | 13 +++++++------
lib/libc/rpc/xdr.c | 34 +++++++++++++++++++++++++++-------
4 files changed, 60 insertions(+), 26 deletions(-)
diffs (truncated from 309 to 300 lines):
diff -r 90bc51032cd4 -r 31720b20bada lib/libc/rpc/rpc_generic.c
--- a/lib/libc/rpc/rpc_generic.c Wed May 03 21:36:16 2017 +0000
+++ b/lib/libc/rpc/rpc_generic.c Wed May 03 21:39:27 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rpc_generic.c,v 1.29 2013/04/05 03:17:38 dholland Exp $ */
+/* $NetBSD: rpc_generic.c,v 1.30 2017/05/03 21:39:27 christos Exp $ */
/*
* Copyright (c) 2010, Oracle America, Inc.
@@ -43,7 +43,7 @@
#include <sys/cdefs.h>
#if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: rpc_generic.c,v 1.29 2013/04/05 03:17:38 dholland Exp $");
+__RCSID("$NetBSD: rpc_generic.c,v 1.30 2017/05/03 21:39:27 christos Exp $");
#endif
#include "namespace.h"
@@ -644,6 +644,9 @@
switch (af) {
case AF_INET:
+ if (nbuf->len < sizeof(*sinp)) {
+ return NULL;
+ }
sinp = nbuf->buf;
if (inet_ntop(af, &sinp->sin_addr, namebuf,
(socklen_t)sizeof namebuf) == NULL)
@@ -655,6 +658,9 @@
break;
#ifdef INET6
case AF_INET6:
+ if (nbuf->len < sizeof(*sin6)) {
+ return NULL;
+ }
sin6 = nbuf->buf;
if (inet_ntop(af, &sin6->sin6_addr, namebuf6,
(socklen_t)sizeof namebuf6) == NULL)
@@ -690,7 +696,8 @@
#endif
struct sockaddr_un *sun;
- _DIAGASSERT(uaddr != NULL);
+ if (uaddr == NULL)
+ return NULL;
addrstr = strdup(uaddr);
if (addrstr == NULL)
diff -r 90bc51032cd4 -r 31720b20bada lib/libc/rpc/rpcb_prot.c
--- a/lib/libc/rpc/rpcb_prot.c Wed May 03 21:36:16 2017 +0000
+++ b/lib/libc/rpc/rpcb_prot.c Wed May 03 21:39:27 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rpcb_prot.c,v 1.11 2013/03/11 20:19:29 tron Exp $ */
+/* $NetBSD: rpcb_prot.c,v 1.12 2017/05/03 21:39:27 christos Exp $ */
/*
* Copyright (c) 2010, Oracle America, Inc.
@@ -41,7 +41,7 @@
#if 0
static char sccsid[] = "@(#)rpcb_prot.c 1.9 89/04/21 Copyr 1984 Sun Micro";
#else
-__RCSID("$NetBSD: rpcb_prot.c,v 1.11 2013/03/11 20:19:29 tron Exp $");
+__RCSID("$NetBSD: rpcb_prot.c,v 1.12 2017/05/03 21:39:27 christos Exp $");
#endif
#endif
@@ -58,6 +58,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <rpc/rpcb_prot.h>
+#include <rpc/rpc_com.h>
#include <assert.h>
@@ -85,13 +86,13 @@
if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
return (FALSE);
}
return (TRUE);
@@ -193,19 +194,19 @@
_DIAGASSERT(objp != NULL);
- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
return (FALSE);
}
return (TRUE);
@@ -329,7 +330,7 @@
_DIAGASSERT(p != NULL);
- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_u_int(xdrs, &objp->results.results_len)) {
@@ -349,6 +350,11 @@
if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
return (FALSE);
}
+
+ if (objp->maxlen > RPC_MAXDATASIZE) {
+ return (FALSE);
+ }
+
dummy = xdr_bytes(xdrs, (char **)(void *)&(objp->buf),
(u_int *)&(objp->len), objp->maxlen);
return (dummy);
diff -r 90bc51032cd4 -r 31720b20bada lib/libc/rpc/rpcb_st_xdr.c
--- a/lib/libc/rpc/rpcb_st_xdr.c Wed May 03 21:36:16 2017 +0000
+++ b/lib/libc/rpc/rpcb_st_xdr.c Wed May 03 21:39:27 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rpcb_st_xdr.c,v 1.10 2013/03/11 20:19:29 tron Exp $ */
+/* $NetBSD: rpcb_st_xdr.c,v 1.11 2017/05/03 21:39:27 christos Exp $ */
/*
* Copyright (c) 2010, Oracle America, Inc.
@@ -42,11 +42,12 @@
#include <sys/cdefs.h>
#if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: rpcb_st_xdr.c,v 1.10 2013/03/11 20:19:29 tron Exp $");
+__RCSID("$NetBSD: rpcb_st_xdr.c,v 1.11 2017/05/03 21:39:27 christos Exp $");
#endif
#include "namespace.h"
#include <rpc/rpc.h>
+#include <rpc/rpc_com.h>
#include <assert.h>
@@ -80,7 +81,7 @@
if (!xdr_int(xdrs, &objp->failure)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
@@ -132,7 +133,7 @@
IXDR_PUT_INT32(buf, objp->failure);
IXDR_PUT_INT32(buf, objp->indirect);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)(void *)&objp->next,
@@ -170,7 +171,7 @@
objp->failure = (int)IXDR_GET_INT32(buf);
objp->indirect = (int)IXDR_GET_INT32(buf);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)(void *)&objp->next,
@@ -198,7 +199,7 @@
if (!xdr_int(xdrs, &objp->indirect)) {
return (FALSE);
}
- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)(void *)&objp->next,
diff -r 90bc51032cd4 -r 31720b20bada lib/libc/rpc/xdr.c
--- a/lib/libc/rpc/xdr.c Wed May 03 21:36:16 2017 +0000
+++ b/lib/libc/rpc/xdr.c Wed May 03 21:39:27 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xdr.c,v 1.33 2013/03/11 20:19:29 tron Exp $ */
+/* $NetBSD: xdr.c,v 1.34 2017/05/03 21:39:27 christos Exp $ */
/*
* Copyright (c) 2010, Oracle America, Inc.
@@ -37,7 +37,7 @@
static char *sccsid = "@(#)xdr.c 1.35 87/08/12";
static char *sccsid = "@(#)xdr.c 2.1 88/07/29 4.0 RPCSRC";
#else
-__RCSID("$NetBSD: xdr.c,v 1.33 2013/03/11 20:19:29 tron Exp $");
+__RCSID("$NetBSD: xdr.c,v 1.34 2017/05/03 21:39:27 christos Exp $");
#endif
#endif
@@ -59,8 +59,10 @@
#include <stdlib.h>
#include <string.h>
+#include <rpc/rpc.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
+#include <rpc/rpc_com.h>
#ifdef __weak_alias
__weak_alias(xdr_bool,_xdr_bool)
@@ -98,7 +100,6 @@
*/
#define XDR_FALSE ((long) 0)
#define XDR_TRUE ((long) 1)
-#define LASTUNSIGNED ((u_int) 0-1)
/*
* for unit alignment
@@ -590,6 +591,7 @@
{
char *sp; /* sp is the actual string pointer */
u_int nodesize;
+ bool_t ret, allocated = FALSE;
_DIAGASSERT(xdrs != NULL);
_DIAGASSERT(cpp != NULL);
@@ -619,6 +621,7 @@
}
if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
+ allocated = TRUE;
}
if (sp == NULL) {
warn("%s: out of memory", __func__);
@@ -627,7 +630,14 @@
/* FALLTHROUGH */
case XDR_ENCODE:
- return (xdr_opaque(xdrs, sp, nodesize));
+ ret = xdr_opaque(xdrs, sp, nodesize);
+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+ if (allocated == TRUE) {
+ free(sp);
+ *cpp = NULL;
+ }
+ }
+ return (ret);
case XDR_FREE:
if (sp != NULL) {
@@ -727,6 +737,7 @@
u_int size = 0; /* XXX: GCC */
u_int nodesize;
size_t len;
+ bool_t ret, allocated = FALSE;
_DIAGASSERT(xdrs != NULL);
_DIAGASSERT(cpp != NULL);
@@ -767,8 +778,10 @@
if (nodesize == 0) {
return (TRUE);
}
- if (sp == NULL)
+ if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
+ allocated = TRUE;
+ }
if (sp == NULL) {
warn("%s: out of memory", __func__);
return (FALSE);
@@ -777,7 +790,14 @@
/* FALLTHROUGH */
case XDR_ENCODE:
- return (xdr_opaque(xdrs, sp, size));
+ ret = xdr_opaque(xdrs, sp, size);
+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+ if (allocated == TRUE) {
+ free(sp);
+ *cpp = NULL;
+ }
+ }
+ return (ret);
case XDR_FREE:
mem_free(sp, nodesize);
Home |
Main Index |
Thread Index |
Old Index