Date: Wed, 30 Sep 2015 15:04:41 -0700 From: Xin Li <delphij@delphij.net> To: Robert Blayzor <rblayzor.bulk@inoc.net>, d@delphij.net Cc: freebsd-security@freebsd.org, Alfred Perlstein <alfred@freebsd.org>, Hiroki Sato <hrs@freebsd.org>, Rick Macklem <rmacklem@FreeBSD.org>, Doug Rabson <dfr@rabson.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind Message-ID: <560C5C79.3080308@delphij.net> In-Reply-To: <560C426B.1000608@delphij.net> References: <20150929183942.569F311FD@freefall.freebsd.org> <B821DB04-67A9-4F7C-85E1-8ABCF72C6D46@inoc.net> <560C33B7.70100@delphij.net> <AE3C0342-75F1-4703-A685-561A303C3C76@inoc.net> <560C39B3.1020806@delphij.net> <AC5D1DD3-8AD9-49F8-9ECB-5B239E1B97F6@inoc.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> <560C426B.1000608@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c Content-Type: multipart/mixed; boundary="------------040300060705050704010101" This is a multi-part message in MIME format. --------------040300060705050704010101 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/30/15 13:13, Xin Li wrote: > On 09/30/15 13:03, Robert Blayzor wrote: >> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij@delphij.net> wrote: >>> >>> Can you make this change and see if it helps? >>> >>> Index: rpcb_svc_com.c >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- rpcb_svc_com.c (revision 288421) >>> +++ rpcb_svc_com.c (working copy) >>> @@ -1052,7 +1052,7 @@ static bool_t >>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) >>> { >>> >>> - assert(dst->buf =3D=3D NULL); >>> + assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL); >> =85 >> >> >> Same result: >> >> >> Assertion failed: (dst->len =3D=3D 0 || dst->buf =3D=3D NULL), functio= n netbuf_copybuf, file rpcb_svc_com.c, line 1056. >=20 > Hmm this suggests there were either a use-after-free or a memory leak > with existing code. I will need some time to further investigate this.= >=20 > In the meantime, please comment out the assertion (which turns the cras= h > back into memory leak in the worst case). Please try the attached patch, which will reallocate buffer only when the passed in netbuf is of a different size. Cheers, --=20 Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --------------040300060705050704010101 Content-Type: text/x-patch; name="rpcbind.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rpcbind.diff" Index: usr.sbin/rpcbind/rpcb_svc_com.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/rpcbind/rpcb_svc_com.c (revision 288421) +++ usr.sbin/rpcbind/rpcb_svc_com.c (working copy) @@ -1052,12 +1052,15 @@ static bool_t netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) { =20 - assert(dst->buf =3D=3D NULL); + if (dst->len !=3D src->len || dst->buf =3D=3D NULL) { + if (dst->buf !=3D NULL) + free(dst->buf); + if ((dst->buf =3D malloc(src->len)) =3D=3D NULL) + return (FALSE); =20 - if ((dst->buf =3D malloc(src->len)) =3D=3D NULL) - return (FALSE); + dst->maxlen =3D dst->len =3D src->len; + } =20 - dst->maxlen =3D dst->len =3D src->len; memcpy(dst->buf, src->buf, src->len); return (TRUE); } --------------040300060705050704010101-- --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDFx5AAoJEJW2GBstM+nsQD8QAI0HEadIYoHUbcrajcx+gNF7 uiK5a4eRhELVg5uB5vhq/CsVQxHQfStMt+biTa7rDO2JkZDoU3g0BvY0BbwQnYr4 veXd/QvE26kdBOR6poR8dSrpCwtrT/Og/ZHvZQzT88pKngUP6xYJJ3t+dKD9r4v8 tVxZm3kJhiDu7KNLb6YXUGJnK+3UCJagdNHRZX7ZPDqpFmiOs0yiZ845SK0KrtT+ NSRB1NDWPkpEHLhQdtN+GsC2eeMw7jP44W1DtMXilYgd7+eJtbuaDIL9l+ZruJj7 8wAzuw+gQ0ZbfVwz7pWs8BJxH3Rd4nxmZPgdx0oEItBkWxuoSTgYQZlhUnhnOnaM 9cuNIDFjGmIcXR21D6mgGlYBG7hEYXgYty979rVE7cW25I5D7cMt9sDAi3FibI3R FbHWr1EDZHvBhdqTx1tZIwn7XfLVajKFB/KLlh+sAyExlyfplyaRrwTZRyTIVFVu 1Gxinh/1e/FRBe2exM/wsv8fgR+rQsZdHzWbKw1kl4pl+gSWv2Ut3pGrXIyMix58 Vl2JrFtXFhFWJ3cXWDrJS49gHCXtoEQ164lowXjt++2lWsb//b9PVsp6IVmAh0RN UXQsWSdQtpdlQl30S2OPjPBbmDMPMo1SlIl2M6mlY87IYjfXfTZUtUw5Kfq7UKjH u/iNxQ64D9Awh9bmvH0z =6ZWK -----END PGP SIGNATURE----- --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?560C5C79.3080308>