[Buildroot] [PATCH] rpcbind: fix attempt to free non-dynamic memory
Ed Blake
ed.blake at sondrel.com
Wed Jan 17 10:08:58 UTC 2018
Commit 954509f added a security fix for CVE-2017-8779, involving
pairing all svc_getargs() calls with svc_freeargs() to avoid a memory
leak. This included adding a call to svc_freeargs() to
rpcbproc_callit_com().
However, rpcbproc_callit_com() allocates memory for args.rmt_args.args
itself, either dynamically (sendsz > RPC_BUF_MAX) or else on the stack,
rather than having the memory allocated in svc_getargs().
The call to svc_freeargs() results in an attempt to free the memory
allocated by rpcbproc_callit_com(), which if on the stack results in
undefined behaviour.
Fix this by removing the svc_freeargs() call, which is not required as
rpcbproc_callit_com() allocates (and correctly frees) memory itself.
Change-Id: I7fc34efd58408ec5e626da8edd08aa697ed8b936
Signed-off-by: Ed Blake <ed.blake at sondrel.com>
---
...pair-all-svc_getargs-calls-with-svc_freeargs.patch | 19 -------------------
1 file changed, 19 deletions(-)
diff --git a/package/rpcbind/0004-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch b/package/rpcbind/0004-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
index 130e5d77c..91fe20830 100644
--- a/package/rpcbind/0004-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
+++ b/package/rpcbind/0004-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
@@ -207,25 +207,6 @@ index b673452..3e37b54 100644
}
if (rqstp->rq_proc == RPCBPROC_SET
-diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
-index ff9ce6b..98ede61 100644
---- a/src/rpcb_svc_com.c
-+++ b/src/rpcb_svc_com.c
-@@ -931,6 +931,14 @@ error:
- if (call_msg.rm_xid != 0)
- (void) free_slot_by_xid(call_msg.rm_xid);
- out:
-+ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
-+ if (debugging) {
-+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
-+ if (doabort) {
-+ rpcbind_abort();
-+ }
-+ }
-+ }
- if (local_uaddr)
- free(local_uaddr);
- if (buf_alloc)
--
2.11.0
--
2.11.0
More information about the buildroot
mailing list