git: rpcbind - Fix crash

Matthew Dillon dillon at crater.dragonflybsd.org
Tue Sep 29 15:14:37 PDT 2015


commit a424f9710659af5c0916037b39234c495e3a8499
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Tue Sep 29 15:13:06 2015 -0700

    rpcbind - Fix crash
    
    Bring in 88cb9496ec48 from the FreeBSD repo.
    
    The Sun RPC framework uses a netbuf structure to represent the
    transport specific form of a universal transport address.  The
    structure is expected to be opaque to consumers.  In the current
    implementation, the structure contains a pointer to a buffer
    that holds the actual address.
    
    In rpcbind(8), netbuf structures are copied directly, which would
    result in two netbuf structures that reference to one shared
    address buffer.  When one of the two netbuf structures is freed,
    access to the other netbuf structure would result in an undefined
    result that may crash the rpcbind(8) daemon.
    
    Fix this by making a copy of the buffer that is going to be freed
    instead of doing a shallow copy.
    
    Author:	    delphij <delphij at FreeBSD.org>
    Security:   FreeBSD-SA-15:24.rpcbind
    Security:   CVE-2015-7236

Summary of changes:
 usr.sbin/rpcbind/rpcb_svc_com.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/a424f9710659af5c0916037b39234c495e3a8499


-- 
DragonFly BSD source repository


More information about the Commits mailing list