From 31c59906ec81f862e5f8ce88378fa26e2ff3156b Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Tue, 6 Jun 2017 07:21:33 +0000
Subject: MFC r319369:

 * limit size of buffers to RPC_MAXDATASIZE
 * don't leak memory
 * be more picky about bad parameters

From:

https://raw.githubusercontent.com/guidovranken/rpcbomb/master/libtirpc_patch.txt
https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt

via NetBSD.

Approved by:	re (kib)
---
 lib/libc/rpc/rpcb_prot.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'lib/libc/rpc/rpcb_prot.c')

diff --git a/lib/libc/rpc/rpcb_prot.c b/lib/libc/rpc/rpcb_prot.c
index c462e19..39a201c 100644
--- a/lib/libc/rpc/rpcb_prot.c
+++ b/lib/libc/rpc/rpcb_prot.c
@@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$");
 #include <rpc/types.h>
 #include <rpc/xdr.h>
 #include <rpc/rpcb_prot.h>
+#include <rpc/rpc_com.h>
 #include "un-namespace.h"
 
 bool_t
@@ -62,13 +63,13 @@ xdr_rpcb(XDR *xdrs, RPCB *objp)
 	if (!xdr_rpcvers(xdrs, &objp->r_vers)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
 	return (TRUE);
@@ -162,19 +163,19 @@ xdr_rpcblist(XDR *xdrs, RPCBLIST **rp)
 bool_t
 xdr_rpcb_entry(XDR *xdrs, rpcb_entry *objp)
 {
-	if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
 	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
-	if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
 	return (TRUE);
@@ -289,7 +290,7 @@ xdr_rpcb_rmtcallres(XDR *xdrs, struct rpcb_rmtcallres *p)
 	bool_t dummy;
 	struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
 
-	if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
+	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
 		return (FALSE);
 	}
 	if (!xdr_u_int(xdrs, &objp->results.results_len)) {
-- 
cgit v1.1