6a6243
commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0
6a6243
Author: Steve Dickson <steved@redhat.com>
6a6243
Date:   Tue Oct 9 09:19:50 2018 -0400
6a6243
6a6243
    rpcinfo: Fix stack buffer overflow
6a6243
    
6a6243
    *** buffer overflow detected ***: rpcinfo terminated
6a6243
    ======= Backtrace: =========
6a6243
    /lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
6a6243
    /lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
6a6243
    /lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
6a6243
    rpcinfo(+0x435f)[0xef3be2635f]
6a6243
    rpcinfo(+0x1c62)[0xef3be23c62]
6a6243
    /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
6a6243
    rpcinfo(+0x2739)[0xef3be24739]
6a6243
    ======= Memory map: ========
6a6243
    ...
6a6243
    The patch below fixes it.
6a6243
    
6a6243
    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
6a6243
    Signed-off-by: Thomas Blume <thomas.blume@suse.com>
6a6243
    Signed-off-by: Steve Dickson <steved@redhat.com>
6a6243
6a6243
diff --git a/src/rpcinfo.c b/src/rpcinfo.c
6a6243
index 9b46864..cfdba88 100644
6a6243
--- a/src/rpcinfo.c
6a6243
+++ b/src/rpcinfo.c
6a6243
@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
6a6243
 	("   program version(s) netid(s)                         service     owner\n");
6a6243
       for (rs = rs_head; rs; rs = rs->next)
6a6243
 	{
6a6243
+	  size_t netidmax = sizeof(buf) - 1;
6a6243
 	  char *p = buf;
6a6243
 
6a6243
 	  printf ("%10ld  ", rs->prog);
6a6243
@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
6a6243
 	    }
6a6243
 	  printf ("%-10s", buf);
6a6243
 	  buf[0] = '\0';
6a6243
-	  for (nl = rs->nlist; nl; nl = nl->next)
6a6243
-	    {
6a6243
-	      strcat (buf, nl->netid);
6a6243
-	      if (nl->next)
6a6243
-		strcat (buf, ",");
6a6243
-	    }
6a6243
+
6a6243
+          for (nl = rs->nlist; nl; nl = nl->next)
6a6243
+            {
6a6243
+              strncat (buf, nl->netid, netidmax);
6a6243
+              if (strlen (nl->netid) < netidmax)
6a6243
+                netidmax -= strlen(nl->netid);
6a6243
+              else
6a6243
+                break;
6a6243
+
6a6243
+              if (nl->next && netidmax > 1)
6a6243
+                {
6a6243
+                  strncat (buf, ",", netidmax);
6a6243
+                  netidmax --;
6a6243
+                }
6a6243
+            }
6a6243
+
6a6243
 	  printf ("%-32s", buf);
6a6243
 	  rpc = getrpcbynumber (rs->prog);
6a6243
 	  if (rpc)