diff options
author | delphij <delphij@FreeBSD.org> | 2017-06-06 07:21:33 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2017-06-06 07:21:33 +0000 |
commit | 31c59906ec81f862e5f8ce88378fa26e2ff3156b (patch) | |
tree | bc5ed9ac499610bee622336a6607191bdde3b6af /sys/xdr | |
parent | 1556d42b5bdc72d3b2a4d01c5f0e610c296a53cd (diff) | |
download | FreeBSD-src-31c59906ec81f862e5f8ce88378fa26e2ff3156b.zip FreeBSD-src-31c59906ec81f862e5f8ce88378fa26e2ff3156b.tar.gz |
MFC r319369:
* limit size of buffers to RPC_MAXDATASIZE
* don't leak memory
* be more picky about bad parameters
From:
https://raw.githubusercontent.com/guidovranken/rpcbomb/master/libtirpc_patch.txt
https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt
via NetBSD.
Approved by: re (kib)
Diffstat (limited to 'sys/xdr')
-rw-r--r-- | sys/xdr/xdr.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/sys/xdr/xdr.c b/sys/xdr/xdr.c index 69d9e4a..915d27b 100644 --- a/sys/xdr/xdr.c +++ b/sys/xdr/xdr.c @@ -51,6 +51,8 @@ __FBSDID("$FreeBSD$"); #include <sys/kernel.h> #include <sys/malloc.h> +#include <rpc/rpc.h> +#include <rpc/rpc_com.h> #include <rpc/types.h> #include <rpc/xdr.h> @@ -62,7 +64,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ */ #define XDR_FALSE ((long) 0) #define XDR_TRUE ((long) 1) -#define LASTUNSIGNED ((u_int) 0-1) /* * for unit alignment @@ -503,6 +504,7 @@ xdr_bytes(XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize) { char *sp = *cpp; /* sp is the actual string pointer */ u_int nodesize; + bool_t ret, allocated = FALSE; /* * first deal with the length since xdr bytes are counted @@ -526,6 +528,7 @@ xdr_bytes(XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize) } if (sp == NULL) { *cpp = sp = mem_alloc(nodesize); + allocated = TRUE; } if (sp == NULL) { printf("xdr_bytes: out of memory"); @@ -534,7 +537,14 @@ xdr_bytes(XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize) /* FALLTHROUGH */ case XDR_ENCODE: - return (xdr_opaque(xdrs, sp, nodesize)); + ret = xdr_opaque(xdrs, sp, nodesize); + if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { + if (allocated == TRUE) { + mem_free(sp, nodesize); + *cpp = NULL; + } + } + return (ret); case XDR_FREE: if (sp != NULL) { @@ -622,6 +632,7 @@ xdr_string(XDR *xdrs, char **cpp, u_int maxsize) char *sp = *cpp; /* sp is the actual string pointer */ u_int size; u_int nodesize; + bool_t ret, allocated = FALSE; /* * first deal with the length since xdr strings are counted-strings @@ -655,8 +666,10 @@ xdr_string(XDR *xdrs, char **cpp, u_int maxsize) if (nodesize == 0) { return (TRUE); } - if (sp == NULL) + if (sp == NULL) { *cpp = sp = mem_alloc(nodesize); + allocated = TRUE; + } if (sp == NULL) { printf("xdr_string: out of memory"); return (FALSE); @@ -665,7 +678,14 @@ xdr_string(XDR *xdrs, char **cpp, u_int maxsize) /* FALLTHROUGH */ case XDR_ENCODE: - return (xdr_opaque(xdrs, sp, size)); + ret = xdr_opaque(xdrs, sp, size); + if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { + if (allocated == TRUE) { + mem_free(sp, nodesize); + *cpp = NULL; + } + } + return (ret); case XDR_FREE: mem_free(sp, nodesize); @@ -683,7 +703,7 @@ xdr_string(XDR *xdrs, char **cpp, u_int maxsize) bool_t xdr_wrapstring(XDR *xdrs, char **cpp) { - return xdr_string(xdrs, cpp, LASTUNSIGNED); + return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); } /* |