From 8dd2abc7092004d397e37663505330eb8426b82b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 05 2015 13:25:47 +0000
Subject: import libtirpc-0.2.4-0.5.el7


---

diff --git a/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch b/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch
new file mode 100644
index 0000000..3748e07
--- /dev/null
+++ b/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch
@@ -0,0 +1,57 @@
+commit a4fa582908b9c63957240cb0cb68b59d56244ef5
+Author: Bodo Stroesser <bstroesser@ts.fujitsu.com>
+Date:   Thu Nov 6 13:26:00 2014 -0500
+
+    write_vc: fix write retry loop for nonblocking mode
+    
+    This is a simple fix for the write retry loop that is used on
+    non-blocking connections if write() failed with -EAGAIN.
+    
+    Additionally it removes a redundant if () {}
+    
+    Erroneously at each cycle of the loop the length of the data
+    to send is incremented and the buffer pointer is decremented.
+    Thus, it might happen that:
+    * the application crashes
+    * data from the memory before the buffer is sent
+    
+    Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index 4c70de8..4d3ea51 100644
+--- a/src/svc_vc.c
++++ b/src/svc_vc.c
+@@ -559,20 +559,19 @@ write_vc(xprtp, buf, len)
+ 				cd->strm_stat = XPRT_DIED;
+ 				return (-1);
+ 			}
+-			if (cd->nonblock && i != cnt) {
+-				/*
+-				 * For non-blocking connections, do not
+-				 * take more than 2 seconds writing the
+-				 * data out.
+-				 *
+-				 * XXX 2 is an arbitrary amount.
+-				 */
+-				gettimeofday(&tv1, NULL);
+-				if (tv1.tv_sec - tv0.tv_sec >= 2) {
+-					cd->strm_stat = XPRT_DIED;
+-					return (-1);
+-				}
++			/*
++			 * For non-blocking connections, do not
++			 * take more than 2 seconds writing the
++			 * data out.
++			 *
++			 * XXX 2 is an arbitrary amount.
++			 */
++			gettimeofday(&tv1, NULL);
++			if (tv1.tv_sec - tv0.tv_sec >= 2) {
++				cd->strm_stat = XPRT_DIED;
++				return (-1);
+ 			}
++			i = 0; /* Don't change buf and cnt */
+ 		}
+ 	}
+ 
diff --git a/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch b/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch
new file mode 100644
index 0000000..6432788
--- /dev/null
+++ b/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch
@@ -0,0 +1,49 @@
+commit cf2e0082ce88fc2c75479c26a4b9f69f1b028c80
+Author: Steve Dickson <steved@redhat.com>
+Date:   Thu May 29 09:40:59 2014 -0400
+
+    Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
+    
+    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
+index 601a691..26c1065 100644
+--- a/src/svc_auth_gss.c
++++ b/src/svc_auth_gss.c
+@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
+ 	struct opaque_auth	*oa;
+ 	gss_buffer_desc		 rpcbuf, checksum;
+ 	OM_uint32		 maj_stat, min_stat, qop_state;
+-	u_char			 rpchdr[128];
++	u_char			 *rpchdr;
+ 	int32_t			*buf;
+ 
+ 	gss_log_debug("in svcauth_gss_validate()");
+ 
+-	memset(rpchdr, 0, sizeof(rpchdr));
+-
+ 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+ 	oa = &msg->rm_call.cb_cred;
+ 	if (oa->oa_length > MAX_AUTH_BYTES)
+ 		return (FALSE);
+-	
+-	/* 8 XDR units from the IXDR macro calls. */
+-	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+-			RNDUP(oa->oa_length)))
++
++	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
++			RNDUP(oa->oa_length)), 1);
++	if (rpchdr == NULL)
+ 		return (FALSE);
+ 
+ 	buf = (int32_t *)rpchdr;
+@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
+ 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
+ 				  &qop_state);
+ 
++	free(rpchdr);
++
+ 	if (maj_stat != GSS_S_COMPLETE) {
+ 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
+ 		return (FALSE);
diff --git a/SPECS/libtirpc.spec b/SPECS/libtirpc.spec
index cb2ecef..ed10cda 100644
--- a/SPECS/libtirpc.spec
+++ b/SPECS/libtirpc.spec
@@ -2,7 +2,7 @@
 
 Name:		   libtirpc
 Version:		0.2.4
-Release:		0.3%{?dist}
+Release:		0.5%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		SISSL and BSD
@@ -14,6 +14,12 @@ Source0:	http://downloads.sourceforge.net/libtirpc/libtirpc-%{version}.tar.bz2
 BuildRequires:		automake, autoconf, libtool, pkgconfig
 BuildRequires:		krb5-devel
 
+#
+# RHEL7.1
+#
+Patch001: libtirpc-0.2.4-svc-buffer-overflow.patch
+Patch002: libtirpc-0.2.4-nonblocking-mode.patch
+
 %description
 This package contains SunLib's implementation of transport-independent
 RPC (TI-RPC) documentation.  This library forms a piece of the base of 
@@ -39,6 +45,10 @@ developing programs which use the tirpc library.
 
 %prep
 %setup -q
+# 1102765 - rpcbind segfaults in svc_vc_recv
+%patch001 -p1
+# 1162714 - Non blocking mode for writes is broken
+%patch002 -p1
 
 # Remove .orig files
 find . -name "*.orig" | xargs rm -f
@@ -127,6 +137,12 @@ rm -rf %{buildroot}
 %{_mandir}/*/*
 
 %changelog
+* Sat Nov 15 2014 Steve Dickson <steved@redhat.com> 0.2.4-0.5
+- Fixed the non-blocking mode (bz 1162714)
+
+* Wed Sep 17 2014 Steve Dickson <steved@redhat.com> 0.2.4-0.4
+- Avoid buffer overruns svcauth_gss_validate() (bz 1102765)
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.2.4-0.3
 - Mass rebuild 2014-01-24