|
|
- From 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 Mon Sep 17 00:00:00 2001
- From: Steve Dickson <steved@redhat.com>
- Date: Tue, 9 Oct 2018 09:19:50 -0400
- Subject: [PATCH] rpcinfo: Fix stack buffer overflow
-
- buffer overflow detected: rpcinfo terminated
- ======= Backtrace: =========
- /lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
- /lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
- /lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
- rpcinfo(+0x435f)[0xef3be2635f]
- rpcinfo(+0x1c62)[0xef3be23c62]
- /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
- rpcinfo(+0x2739)[0xef3be24739]
- ======= Memory map: ========
- ...
- The patch below fixes it.
-
- Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
- Signed-off-by: Thomas Blume <thomas.blume@suse.com>
- Signed-off-by: Steve Dickson <steved@redhat.com>
- ---
- src/rpcinfo.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
- --- a/src/rpcinfo.c
- +++ b/src/rpcinfo.c
- @@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
- (" program version(s) netid(s) service owner\n");
- for (rs = rs_head; rs; rs = rs->next)
- {
- + size_t netidmax = sizeof(buf) - 1;
- char *p = buf;
-
- printf ("%10ld ", rs->prog);
- @@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
- }
- printf ("%-10s", buf);
- buf[0] = '\0';
- - for (nl = rs->nlist; nl; nl = nl->next)
- - {
- - strcat (buf, nl->netid);
- - if (nl->next)
- - strcat (buf, ",");
- - }
- +
- + for (nl = rs->nlist; nl; nl = nl->next)
- + {
- + strncat (buf, nl->netid, netidmax);
- + if (strlen (nl->netid) < netidmax)
- + netidmax -= strlen(nl->netid);
- + else
- + break;
- +
- + if (nl->next && netidmax > 1)
- + {
- + strncat (buf, ",", netidmax);
- + netidmax --;
- + }
- + }
- +
- printf ("%-32s", buf);
- rpc = getrpcbynumber (rs->prog);
- if (rpc)
|