aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch')
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch84
1 files changed, 0 insertions, 84 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
deleted file mode 100644
index 741a99035c..0000000000
--- a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
-Author: Olaf Kirch <okir@...e.de>
-Date: Thu Aug 6 16:27:20 2015 +0200
-
- Fix memory corruption in PMAP_CALLIT code
-
- - A PMAP_CALLIT call comes in on IPv4 UDP
- - rpcbind duplicates the caller's address to a netbuf and stores it in
- FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
- with a size of 16 bytes
- - rpcbind forwards the call to the local service, receives a reply
- - when processing the reply, it does this in xprt_set_caller:
- xprt->xp_rtaddr = *FINFO[0].caller_addr
- It sends out the reply, and then frees the netbuf caller_addr and
- caller_addr.buf.
- However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
- to memory region A, which is free.
- - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
- be called, which will set xp_rtaddr to the client's address.
- It will reuse the buffer inside xp_rtaddr, ie it will write a
- sockaddr_in to region A
-
- Some time down the road, an incoming TCP connection is accepted,
- allocating a fresh SVCXPRT. The memory region A is inside the
- new SVCXPRT
-
- - While processing the TCP call, another UDP call comes in, again
- overwriting region A with the client's address
- - TCP client closes connection. In svc_destroy, we now trip over
- the garbage left in region A
-
- We ran into the case where a commercial scanner was triggering
- occasional rpcbind segfaults. The core file that was captured showed
- a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
-
- Signed-off-by: Olaf Kirch <okir@...e.de>
-
- Upstream-Status: Backport
- CVE: CVE-2015-7236
-
- Signed-off-by: Li Zhou <li.zhou@windriver.com>
----
- src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
-===================================================================
---- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
-+++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
-@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
- return (ncallbacks_found);
- }
-
-+/*
-+ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
-+ * been exported yet.
-+ */
-+static struct netbuf *
-+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
-+{
-+ if (nb->len != len) {
-+ if (nb->len)
-+ mem_free(nb->buf, nb->len);
-+ nb->buf = mem_alloc(len);
-+ if (nb->buf == NULL)
-+ return NULL;
-+
-+ nb->maxlen = nb->len = len;
-+ }
-+ memcpy(nb->buf, ptr, len);
-+ return nb;
-+}
-+
- static void
- xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
- {
-+ const struct netbuf *caller = fi->caller_addr;
- u_int32_t *xidp;
-
-- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
-+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
- xidp = __rpcb_get_dg_xidp(xprt);
- *xidp = fi->caller_xid;
- }
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-30 09:05:27 +0000