[Midnightbsd-cvs] src [7336] stable/0.6: In rpcbind(8), netbuf structures are copied directly, which would result in

Wed Sep 30 09:07:58 EDT 2015

Revision: 7336
          http://svnweb.midnightbsd.org/src/?rev=7336
Author:   laffer1
Date:     2015-09-30 09:07:57 -0400 (Wed, 30 Sep 2015)
Log Message:
-----------
In rpcbind(8), netbuf structures are copied directly, which would result in
two netbuf structures that reference to one shared address buffer.  When one
of the two netbuf structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the rpcbind(8) daemon.

Modified Paths:
--------------
    stable/0.6/UPDATING
    stable/0.6/usr.sbin/rpcbind/rpcb_svc_com.c

Modified: stable/0.6/UPDATING
===================================================================

--- stable/0.6/UPDATING	2015-09-27 14:36:54 UTC (rev 7335)
+++ stable/0.6/UPDATING	2015-09-30 13:07:57 UTC (rev 7336)
@@ -1,5 +1,13 @@
 Updating Information for MidnightBSD users.
 
+20150930:
+	rpcbind(8) remote denial of service
+
+	In rpcbind(8), netbuf structures are copied directly, which would result in
+	two netbuf structures that reference to one shared address buffer.  When one
+	of the two netbuf structures is freed, access to the other netbuf structure
+	would result in an undefined result that may crash the rpcbind(8) daemon.	
+
 20150825:
 	MidnightBSD 0.6.7 RELEASE
 

Modified: stable/0.6/usr.sbin/rpcbind/rpcb_svc_com.c
===================================================================
--- stable/0.6/usr.sbin/rpcbind/rpcb_svc_com.c	2015-09-27 14:36:54 UTC (rev 7335)
+++ stable/0.6/usr.sbin/rpcbind/rpcb_svc_com.c	2015-09-30 13:07:57 UTC (rev 7336)
@@ -48,6 +48,7 @@
 #include <rpc/rpc.h>
 #include <rpc/rpcb_prot.h>
 #include <rpc/svc_dg.h>
+#include <assert.h>
 #include <netconfig.h>
 #include <errno.h>
 #include <syslog.h>
@@ -1048,19 +1049,31 @@
 	return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len));
 }
 
+static bool_t
+netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
+{
+
+	assert(dst->buf == NULL);
+
+	if ((dst->buf = malloc(src->len)) == NULL)
+		return (FALSE);
+
+	dst->maxlen = dst->len = src->len;
+	memcpy(dst->buf, src->buf, src->len);
+	return (TRUE);
+}
+
 static struct netbuf *
 netbufdup(struct netbuf *ap)
 {
 	struct netbuf  *np;
 
-	if ((np = malloc(sizeof(struct netbuf))) == NULL)
+	if ((np = calloc(1, sizeof(struct netbuf))) == NULL)
 		return (NULL);
-	if ((np->buf = malloc(ap->len)) == NULL) {
+	if (netbuf_copybuf(np, ap) == FALSE) {
 		free(np);
 		return (NULL);
 	}
-	np->maxlen = np->len = ap->len;
-	memcpy(np->buf, ap->buf, ap->len);
 	return (np);
 }
 
@@ -1068,6 +1081,7 @@
 netbuffree(struct netbuf *ap)
 {
 	free(ap->buf);
+	ap->buf = NULL;
 	free(ap);
 }
 
@@ -1185,7 +1199,7 @@
 {
 	u_int32_t *xidp;
 
-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+	netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr);
 	xidp = __rpcb_get_dg_xidp(xprt);
 	*xidp = fi->caller_xid;
 }

