Blame SOURCES/rpcbind-0.2.0-CVE20157236-memcorrup.patch
|
|
bec77d |
diff -up rpcbind-0.2.0/src/rpcb_svc_com.c.orig rpcbind-0.2.0/src/rpcb_svc_com.c
|
|
|
bec77d |
--- rpcbind-0.2.0/src/rpcb_svc_com.c.orig 2015-11-30 14:57:10.267576072 -0500
|
|
|
bec77d |
+++ rpcbind-0.2.0/src/rpcb_svc_com.c 2015-11-30 14:59:06.305393416 -0500
|
|
|
bec77d |
@@ -1204,12 +1204,33 @@ check_rmtcalls(struct pollfd *pfds, int
|
|
|
bec77d |
return (ncallbacks_found);
|
|
|
bec77d |
}
|
|
|
bec77d |
|
|
|
bec77d |
+/*
|
|
|
bec77d |
+ * This is really a helper function defined in libtirpc,
|
|
|
bec77d |
+ * but unfortunately, it hasn't been exported yet.
|
|
|
bec77d |
+ */
|
|
|
bec77d |
+static struct netbuf *
|
|
|
bec77d |
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
|
|
|
bec77d |
+{
|
|
|
bec77d |
+ if (nb->len != len) {
|
|
|
bec77d |
+ if (nb->len)
|
|
|
bec77d |
+ mem_free(nb->buf, nb->len);
|
|
|
bec77d |
+ nb->buf = mem_alloc(len);
|
|
|
bec77d |
+ if (nb->buf == NULL)
|
|
|
bec77d |
+ return NULL;
|
|
|
bec77d |
+
|
|
|
bec77d |
+ nb->maxlen = nb->len = len;
|
|
|
bec77d |
+ }
|
|
|
bec77d |
+ memcpy(nb->buf, ptr, len);
|
|
|
bec77d |
+ return nb;
|
|
|
bec77d |
+}
|
|
|
bec77d |
+
|
|
|
bec77d |
static void
|
|
|
bec77d |
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
|
|
|
bec77d |
{
|
|
|
bec77d |
+ const struct netbuf *caller = fi->caller_addr;
|
|
|
bec77d |
u_int32_t *xidp;
|
|
|
bec77d |
|
|
|
bec77d |
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
|
|
|
bec77d |
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
|
|
|
bec77d |
xidp = __rpcb_get_dg_xidp(xprt);
|
|
|
bec77d |
*xidp = fi->caller_xid;
|
|
|
bec77d |
}
|