diff --git a/SOURCES/rpcbind-0.2.0-freeing-static-memory.patch b/SOURCES/rpcbind-0.2.0-freeing-static-memory.patch new file mode 100644 index 0000000..bd8490b --- /dev/null +++ b/SOURCES/rpcbind-0.2.0-freeing-static-memory.patch @@ -0,0 +1,128 @@ +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 0c34632..0f104a6 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -616,9 +616,7 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + struct netconfig *nconf; + struct netbuf *caller; + struct r_rmtcall_args a; +- char *buf_alloc = NULL, *outbufp; +- char *outbuf_alloc = NULL; +- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX]; ++ char outbuf[RPC_BUF_MAX]; + struct netbuf *na = (struct netbuf *) NULL; + struct rpc_msg call_msg; + int outlen; +@@ -639,36 +637,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + } + if (si.si_socktype != SOCK_DGRAM) + return; /* Only datagram type accepted */ +- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE); +- if (sendsz == 0) { /* data transfer not supported */ +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- /* +- * Should be multiple of 4 for XDR. +- */ +- sendsz = ((sendsz + 3) / 4) * 4; +- if (sendsz > RPC_BUF_MAX) { +-#ifdef notyet +- buf_alloc = alloca(sendsz); /* not in IDR2? */ +-#else +- buf_alloc = malloc(sendsz); +-#endif /* notyet */ +- if (buf_alloc == NULL) { +- if (debugging) +- xlog(LOG_DEBUG, +- "rpcbproc_callit_com: No Memory!\n"); +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- a.rmt_args.args = buf_alloc; +- } else { +- a.rmt_args.args = buf; +- } ++ sendsz = UDPMSGSIZE; + + call_msg.rm_xid = 0; /* For error checking purposes */ ++ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */ + if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { + if (reply_type == RPCBPROC_INDIRECT) + svcerr_decode(transp); +@@ -704,11 +676,11 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + + rpcbs_rmtcall(versnum - 2, reply_type, a.rmt_prog, a.rmt_vers, + a.rmt_proc, transp->xp_netid, rbl); +- + if (rbl == (rpcblist_ptr)NULL) { + #ifdef RPCBIND_DEBUG + if (debugging) +- xlog(LOG_DEBUG, "not found\n"); ++ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", ++ a.rmt_prog, a.rmt_vers); + #endif + if (reply_type == RPCBPROC_INDIRECT) + svcerr_noprog(transp); +@@ -822,24 +794,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + call_msg.rm_call.cb_rpcvers = RPC_MSG_VERSION; + call_msg.rm_call.cb_prog = a.rmt_prog; + call_msg.rm_call.cb_vers = a.rmt_vers; +- if (sendsz > RPC_BUF_MAX) { +-#ifdef notyet +- outbuf_alloc = alloca(sendsz); /* not in IDR2? */ +-#else +- outbuf_alloc = malloc(sendsz); +-#endif /* notyet */ +- if (outbuf_alloc == NULL) { +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- if (debugging) +- xlog(LOG_DEBUG, +- "rpcbproc_callit_com: No memory!\n"); +- goto error; +- } +- xdrmem_create(&outxdr, outbuf_alloc, sendsz, XDR_ENCODE); +- } else { +- xdrmem_create(&outxdr, outbuf, sendsz, XDR_ENCODE); +- } ++ ++ memset(outbuf, '\0', sendsz); /* Zero out the output buffer */ ++ xdrmem_create(&outxdr, outbuf, sendsz, XDR_ENCODE); ++ + if (!xdr_callhdr(&outxdr, &call_msg)) { + if (reply_type == RPCBPROC_INDIRECT) + svcerr_systemerr(transp); +@@ -904,10 +862,6 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + goto error; + } + outlen = (int) XDR_GETPOS(&outxdr); +- if (outbuf_alloc) +- outbufp = outbuf_alloc; +- else +- outbufp = outbuf; + + na = uaddr2taddr(nconf, local_uaddr); + if (!na) { +@@ -916,7 +870,7 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + goto error; + } + +- if (sendto(fd, outbufp, outlen, 0, (struct sockaddr *)na->buf, na->len) ++ if (sendto(fd, outbuf, outlen, 0, (struct sockaddr *)na->buf, na->len) + != outlen) { + if (debugging) + xlog(LOG_DEBUG, +@@ -941,10 +895,6 @@ out: + } + if (local_uaddr) + free(local_uaddr); +- if (buf_alloc) +- free(buf_alloc); +- if (outbuf_alloc) +- free(outbuf_alloc); + if (na) { + free(na->buf); + free(na); diff --git a/SPECS/rpcbind.spec b/SPECS/rpcbind.spec index bcf93e2..07de071 100644 --- a/SPECS/rpcbind.spec +++ b/SPECS/rpcbind.spec @@ -1,6 +1,6 @@ Name: rpcbind Version: 0.2.0 -Release: 38%{?dist} +Release: 38%{?dist}.1 Summary: Universal Addresses to RPC Program Number Mapper Group: System Environment/Daemons License: BSD @@ -33,6 +33,7 @@ Patch010: rpcbind-0.2.0-debug.patch # RHEL7.3-Z # Patch011: rpcbind-0.2.0-memleaks.patch +Patch012: rpcbind-0.2.0-freeing-static-memory.patch Requires: glibc-common setup @@ -74,6 +75,8 @@ RPC calls on a server on that machine. %patch010 -p1 # 1449462 - CVE-2017-8779 rpcbind: libtirpc, libntirpc: Memory leak... %patch011 -p1 +# 1457172 - rpcbind crash on start +%patch012 -p1 %build %ifarch s390 s390x @@ -187,6 +190,9 @@ fi %dir %attr(700,rpc,rpc) /var/lib/rpcbind %changelog +* Wed May 31 2017 Steve Dickson - 0.2.0-38_3.1 +- Stop freeing static memory (bz 1457172) + * Wed May 17 2017 Steve Dickson - 0.2.0-38_3 - Fixed typo in memory leaks patch (bz 1449462)