diff --git a/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch b/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch new file mode 100644 index 0000000..3748e07 --- /dev/null +++ b/SOURCES/libtirpc-0.2.4-nonblocking-mode.patch @@ -0,0 +1,57 @@ +commit a4fa582908b9c63957240cb0cb68b59d56244ef5 +Author: Bodo Stroesser +Date: Thu Nov 6 13:26:00 2014 -0500 + + write_vc: fix write retry loop for nonblocking mode + + This is a simple fix for the write retry loop that is used on + non-blocking connections if write() failed with -EAGAIN. + + Additionally it removes a redundant if () {} + + Erroneously at each cycle of the loop the length of the data + to send is incremented and the buffer pointer is decremented. + Thus, it might happen that: + * the application crashes + * data from the memory before the buffer is sent + + Signed-off-by: Bodo Stroesser + Signed-off-by: Steve Dickson + +diff --git a/src/svc_vc.c b/src/svc_vc.c +index 4c70de8..4d3ea51 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -559,20 +559,19 @@ write_vc(xprtp, buf, len) + cd->strm_stat = XPRT_DIED; + return (-1); + } +- if (cd->nonblock && i != cnt) { +- /* +- * For non-blocking connections, do not +- * take more than 2 seconds writing the +- * data out. +- * +- * XXX 2 is an arbitrary amount. +- */ +- gettimeofday(&tv1, NULL); +- if (tv1.tv_sec - tv0.tv_sec >= 2) { +- cd->strm_stat = XPRT_DIED; +- return (-1); +- } ++ /* ++ * For non-blocking connections, do not ++ * take more than 2 seconds writing the ++ * data out. ++ * ++ * XXX 2 is an arbitrary amount. ++ */ ++ gettimeofday(&tv1, NULL); ++ if (tv1.tv_sec - tv0.tv_sec >= 2) { ++ cd->strm_stat = XPRT_DIED; ++ return (-1); + } ++ i = 0; /* Don't change buf and cnt */ + } + } + diff --git a/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch b/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch new file mode 100644 index 0000000..6432788 --- /dev/null +++ b/SOURCES/libtirpc-0.2.4-svc-buffer-overflow.patch @@ -0,0 +1,49 @@ +commit cf2e0082ce88fc2c75479c26a4b9f69f1b028c80 +Author: Steve Dickson +Date: Thu May 29 09:40:59 2014 -0400 + + Avoid buffer overruns by allocating buffer in svcauth_gss_validate() + + Reviewed-by: Chuck Lever + Signed-off-by: Steve Dickson + +diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c +index 601a691..26c1065 100644 +--- a/src/svc_auth_gss.c ++++ b/src/svc_auth_gss.c +@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg) + struct opaque_auth *oa; + gss_buffer_desc rpcbuf, checksum; + OM_uint32 maj_stat, min_stat, qop_state; +- u_char rpchdr[128]; ++ u_char *rpchdr; + int32_t *buf; + + gss_log_debug("in svcauth_gss_validate()"); + +- memset(rpchdr, 0, sizeof(rpchdr)); +- + /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); +- +- /* 8 XDR units from the IXDR macro calls. */ +- if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + +- RNDUP(oa->oa_length))) ++ ++ rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + ++ RNDUP(oa->oa_length)), 1); ++ if (rpchdr == NULL) + return (FALSE); + + buf = (int32_t *)rpchdr; +@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg) + maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum, + &qop_state); + ++ free(rpchdr); ++ + if (maj_stat != GSS_S_COMPLETE) { + gss_log_status("gss_verify_mic", maj_stat, min_stat); + return (FALSE); diff --git a/SPECS/libtirpc.spec b/SPECS/libtirpc.spec index cb2ecef..ed10cda 100644 --- a/SPECS/libtirpc.spec +++ b/SPECS/libtirpc.spec @@ -2,7 +2,7 @@ Name: libtirpc Version: 0.2.4 -Release: 0.3%{?dist} +Release: 0.5%{?dist} Summary: Transport Independent RPC Library Group: System Environment/Libraries License: SISSL and BSD @@ -14,6 +14,12 @@ Source0: http://downloads.sourceforge.net/libtirpc/libtirpc-%{version}.tar.bz2 BuildRequires: automake, autoconf, libtool, pkgconfig BuildRequires: krb5-devel +# +# RHEL7.1 +# +Patch001: libtirpc-0.2.4-svc-buffer-overflow.patch +Patch002: libtirpc-0.2.4-nonblocking-mode.patch + %description This package contains SunLib's implementation of transport-independent RPC (TI-RPC) documentation. This library forms a piece of the base of @@ -39,6 +45,10 @@ developing programs which use the tirpc library. %prep %setup -q +# 1102765 - rpcbind segfaults in svc_vc_recv +%patch001 -p1 +# 1162714 - Non blocking mode for writes is broken +%patch002 -p1 # Remove .orig files find . -name "*.orig" | xargs rm -f @@ -127,6 +137,12 @@ rm -rf %{buildroot} %{_mandir}/*/* %changelog +* Sat Nov 15 2014 Steve Dickson 0.2.4-0.5 +- Fixed the non-blocking mode (bz 1162714) + +* Wed Sep 17 2014 Steve Dickson 0.2.4-0.4 +- Avoid buffer overruns svcauth_gss_validate() (bz 1102765) + * Fri Jan 24 2014 Daniel Mach - 0.2.4-0.3 - Mass rebuild 2014-01-24