mirrors/reactos
0
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-11-23 19:43:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

[LIBTIRPC] Fix CVE-2017-8779 by backporting its fix

Browse Source 
CORE-13460
This commit is contained in:
Pierre Schweitzer 2017-10-15 13:54:11 +02:00
parent dd0027ba19
commit 6808e7d25b
4 changed files with 127 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
dll/3rdparty/libtirpc/src/rpc_generic.c vendored
View File

@ -679,6 +679,11 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
switch (af) {
case AF_INET:
#ifdef __REACTOS__ // CVE-2017-8779
if (nbuf->len < sizeof(*sin)) {
return NULL;
}
#endif
sin = nbuf->buf;
if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
== NULL)
@ -690,6 +695,11 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
break;
#ifdef INET6
case AF_INET6:
#ifdef __REACTOS__ // CVE-2017-8779
if (nbuf->len < sizeof(*sin6)) {
return NULL;
}
#endif
sin6 = nbuf->buf;
if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
== NULL)
@ -736,6 +746,10 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
port = 0;
sin = NULL;
#ifdef __REACTOS__ // CVE-2017-8779
if (uaddr == NULL)
return NULL;
#endif
addrstr = strdup(uaddr);
if (addrstr == NULL)
return NULL;

44
dll/3rdparty/libtirpc/src/rpcb_prot.c vendored
View File

@ -42,6 +42,9 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <rpc/rpcb_prot.h>
#ifdef __REACTOS__ // CVE-2017-8779
#include "rpc_com.h"
#endif
bool_t
xdr_rpcb(xdrs, objp)
@ -54,6 +57,7 @@ xdr_rpcb(xdrs, objp)
if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
return (FALSE);
}
#ifndef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
return (FALSE);
}
@ -63,6 +67,17 @@ xdr_rpcb(xdrs, objp)
if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
return (FALSE);
}
#else
if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
return (FALSE);
}
#endif
return (TRUE);
}
@ -160,21 +175,39 @@ xdr_rpcb_entry(xdrs, objp)
XDR *xdrs;
rpcb_entry *objp;
{
#ifndef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
return (FALSE);
}
#else
if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
return (FALSE);
}
#endif
if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
return (FALSE);
}
#ifndef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
return (FALSE);
}
#else
if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
return (FALSE);
}
if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
return (FALSE);
}
#endif
return (TRUE);
}
@ -293,7 +326,11 @@ xdr_rpcb_rmtcallres(xdrs, p)
bool_t dummy;
struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
#ifdef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
#else
if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
#endif
return (FALSE);
}
if (!xdr_u_int(xdrs, &objp->results.results_len)) {
@ -313,6 +350,13 @@ xdr_netbuf(xdrs, objp)
if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
return (FALSE);
}
#ifdef __REACTOS__ // CVE-2017-8779
if (objp->maxlen > RPC_MAXDATASIZE) {
return (FALSE);
}
#endif
dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
(u_int *)&(objp->len), objp->maxlen);
return (dummy);

19
dll/3rdparty/libtirpc/src/rpcb_st_xdr.c vendored
View File

@ -39,6 +39,9 @@
#include <wintirpc.h>
#include <rpc/rpc.h>
#ifdef __REACTOS__ // CVE-2017-8779
#include "rpc_com.h"
#endif
/* Link list of all the stats about getport and getaddr */
@ -60,7 +63,11 @@ xdr_rpcbs_addrlist(xdrs, objp)
if (!xdr_int(xdrs, &objp->failure)) {
return (FALSE);
}
#ifdef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
#else
if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
#endif
return (FALSE);
}
@ -111,7 +118,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
IXDR_PUT_INT32(buf, objp->failure);
IXDR_PUT_INT32(buf, objp->indirect);
}
#ifdef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
#else
if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
#endif
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,
@ -149,7 +160,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
objp->failure = (int)IXDR_GET_INT32(buf);
objp->indirect = (int)IXDR_GET_INT32(buf);
}
#ifdef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
#else
if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
#endif
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,
@ -177,7 +192,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
if (!xdr_int(xdrs, &objp->indirect)) {
return (FALSE);
}
#ifdef __REACTOS__ // CVE-2017-8779
if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
#else
if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
#endif
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **)&objp->next,

50
dll/3rdparty/libtirpc/src/xdr.c vendored
View File

@ -44,8 +44,14 @@
#include <stdlib.h>
#include <string.h>
#ifdef __REACTOS__ // CVE-2017-8779
#include <rpc/rpc.h>
#endif
#include <rpc/types.h>
#include <rpc/xdr.h>
#ifdef __REACTOS__ // CVE-2017-8779
#include <rpc/rpc_com.h>
#endif
typedef quad_t longlong_t; /* ANSI long long type */
typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
@ -55,7 +61,9 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
*/
#define XDR_FALSE ((long) 0)
#define XDR_TRUE ((long) 1)
#ifndef __REACTOS__ // CVE-2017-8779
#define LASTUNSIGNED ((u_int) 0-1)
#endif
/*
* for unit alignment
@ -533,6 +541,9 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
{
char *sp = *cpp; /* sp is the actual string pointer */
u_int nodesize;
#ifdef __REACTOS__ // CVE-2017-8779
bool_t ret, allocated = FALSE;
#endif
/*
* first deal with the length since xdr bytes are counted
@ -556,6 +567,9 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
}
if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
#ifdef __REACTOS__ // CVE-2017-8779
allocated = TRUE;
#endif
}
if (sp == NULL) {
//warnx("xdr_bytes: out of memory");
@ -564,7 +578,18 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
/* FALLTHROUGH */
case XDR_ENCODE:
#ifndef __REACTOS__ // CVE-2017-8779
return (xdr_opaque(xdrs, sp, nodesize));
#else
ret = xdr_opaque(xdrs, sp, nodesize);
if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
if (allocated == TRUE) {
free(sp);
*cpp = NULL;
}
}
return (ret);
#endif
case XDR_FREE:
if (sp != NULL) {
@ -658,6 +683,9 @@ xdr_string(xdrs, cpp, maxsize)
char *sp = *cpp; /* sp is the actual string pointer */
u_int size;
u_int nodesize;
#ifdef __REACTOS__ // CVE-2017-8779
bool_t ret, allocated = FALSE;
#endif
/*
* first deal with the length since xdr strings are counted-strings
@ -697,8 +725,15 @@ xdr_string(xdrs, cpp, maxsize)
switch (xdrs->x_op) {
case XDR_DECODE:
#ifndef __REACTOS__ // CVE-2017-8779
if (sp == NULL)
*cpp = sp = mem_alloc(nodesize);
#else
if (sp == NULL) {
*cpp = sp = mem_alloc(nodesize);
allocated = TRUE;
}
#endif
if (sp == NULL) {
//warnx("xdr_string: out of memory");
return (FALSE);
@ -707,7 +742,18 @@ xdr_string(xdrs, cpp, maxsize)
/* FALLTHROUGH */
case XDR_ENCODE:
#ifndef __REACTOS__ // CVE-2017-8779
return (xdr_opaque(xdrs, sp, size));
#else
ret = xdr_opaque(xdrs, sp, size);
if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
if (allocated == TRUE) {
free(sp);
*cpp = NULL;
}
}
return (ret);
#endif
case XDR_FREE:
mem_free(sp, nodesize);
@ -727,7 +773,11 @@ xdr_wrapstring(xdrs, cpp)
XDR *xdrs;
char **cpp;
{
#ifdef __REACTOS__ // CVE-2017-8779
return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
#else
return xdr_string(xdrs, cpp, LASTUNSIGNED);
#endif
}
/*