git: DragonFly_RELEASE_4_2 rpcbind - Fix crash
Matthew Dillon
dillon at crater.dragonflybsd.org
Tue Sep 29 15:15:05 PDT 2015
commit ad5a3fe50861866ec8e55c14764220db16bb3ffe
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Tue Sep 29 15:13:06 2015 -0700
rpcbind - Fix crash
Bring in 88cb9496ec48 from the FreeBSD repo.
The Sun RPC framework uses a netbuf structure to represent the
transport specific form of a universal transport address. The
structure is expected to be opaque to consumers. In the current
implementation, the structure contains a pointer to a buffer
that holds the actual address.
In rpcbind(8), netbuf structures are copied directly, which would
result in two netbuf structures that reference to one shared
address buffer. When one of the two netbuf structures is freed,
access to the other netbuf structure would result in an undefined
result that may crash the rpcbind(8) daemon.
Fix this by making a copy of the buffer that is going to be freed
instead of doing a shallow copy.
Author: delphij <delphij at FreeBSD.org>
Security: FreeBSD-SA-15:24.rpcbind
Security: CVE-2015-7236
Summary of changes:
usr.sbin/rpcbind/rpcb_svc_com.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/ad5a3fe50861866ec8e55c14764220db16bb3ffe
--
DragonFly BSD source repository
More information about the Commits
mailing list