Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 30 Sep 2015 15:04:41 -0700
From:      Xin Li <delphij@delphij.net>
To:        Robert Blayzor <rblayzor.bulk@inoc.net>, d@delphij.net
Cc:        freebsd-security@freebsd.org, Alfred Perlstein <alfred@freebsd.org>, Hiroki Sato <hrs@freebsd.org>, Rick Macklem <rmacklem@FreeBSD.org>, Doug Rabson <dfr@rabson.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind
Message-ID:  <560C5C79.3080308@delphij.net>
In-Reply-To: <560C426B.1000608@delphij.net>
References:  <20150929183942.569F311FD@freefall.freebsd.org> <B821DB04-67A9-4F7C-85E1-8ABCF72C6D46@inoc.net> <560C33B7.70100@delphij.net> <AE3C0342-75F1-4703-A685-561A303C3C76@inoc.net> <560C39B3.1020806@delphij.net> <AC5D1DD3-8AD9-49F8-9ECB-5B239E1B97F6@inoc.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> <560C426B.1000608@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c
Content-Type: multipart/mixed;
 boundary="------------040300060705050704010101"

This is a multi-part message in MIME format.
--------------040300060705050704010101
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 09/30/15 13:13, Xin Li wrote:
> On 09/30/15 13:03, Robert Blayzor wrote:
>> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij@delphij.net> wrote:
>>>
>>> Can you make this change and see if it helps?
>>>
>>> Index: rpcb_svc_com.c
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>> --- rpcb_svc_com.c	(revision 288421)
>>> +++ rpcb_svc_com.c	(working copy)
>>> @@ -1052,7 +1052,7 @@ static bool_t
>>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
>>> {
>>>
>>> -	assert(dst->buf =3D=3D NULL);
>>> +	assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL);
>> =85
>>
>>
>> Same result:
>>
>>
>> Assertion failed: (dst->len =3D=3D 0 || dst->buf =3D=3D NULL), functio=
n netbuf_copybuf, file rpcb_svc_com.c, line 1056.
>=20
> Hmm  this suggests there were either a use-after-free or a memory leak
> with existing code.  I will need some time to further investigate this.=

>=20
> In the meantime, please comment out the assertion (which turns the cras=
h
> back into memory leak in the worst case).

Please try the attached patch, which will reallocate buffer only when
the passed in netbuf is of a different size.

Cheers,
--=20
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die

--------------040300060705050704010101
Content-Type: text/x-patch;
 name="rpcbind.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="rpcbind.diff"

Index: usr.sbin/rpcbind/rpcb_svc_com.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- usr.sbin/rpcbind/rpcb_svc_com.c	(revision 288421)
+++ usr.sbin/rpcbind/rpcb_svc_com.c	(working copy)
@@ -1052,12 +1052,15 @@ static bool_t
 netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
 {
=20
-	assert(dst->buf =3D=3D NULL);
+	if (dst->len !=3D src->len || dst->buf =3D=3D NULL) {
+		if (dst->buf !=3D NULL)
+			free(dst->buf);
+		if ((dst->buf =3D malloc(src->len)) =3D=3D NULL)
+			return (FALSE);
=20
-	if ((dst->buf =3D malloc(src->len)) =3D=3D NULL)
-		return (FALSE);
+		dst->maxlen =3D dst->len =3D src->len;
+	}
=20
-	dst->maxlen =3D dst->len =3D src->len;
 	memcpy(dst->buf, src->buf, src->len);
 	return (TRUE);
 }

--------------040300060705050704010101--

--fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)

iQIcBAEBCgAGBQJWDFx5AAoJEJW2GBstM+nsQD8QAI0HEadIYoHUbcrajcx+gNF7
uiK5a4eRhELVg5uB5vhq/CsVQxHQfStMt+biTa7rDO2JkZDoU3g0BvY0BbwQnYr4
veXd/QvE26kdBOR6poR8dSrpCwtrT/Og/ZHvZQzT88pKngUP6xYJJ3t+dKD9r4v8
tVxZm3kJhiDu7KNLb6YXUGJnK+3UCJagdNHRZX7ZPDqpFmiOs0yiZ845SK0KrtT+
NSRB1NDWPkpEHLhQdtN+GsC2eeMw7jP44W1DtMXilYgd7+eJtbuaDIL9l+ZruJj7
8wAzuw+gQ0ZbfVwz7pWs8BJxH3Rd4nxmZPgdx0oEItBkWxuoSTgYQZlhUnhnOnaM
9cuNIDFjGmIcXR21D6mgGlYBG7hEYXgYty979rVE7cW25I5D7cMt9sDAi3FibI3R
FbHWr1EDZHvBhdqTx1tZIwn7XfLVajKFB/KLlh+sAyExlyfplyaRrwTZRyTIVFVu
1Gxinh/1e/FRBe2exM/wsv8fgR+rQsZdHzWbKw1kl4pl+gSWv2Ut3pGrXIyMix58
Vl2JrFtXFhFWJ3cXWDrJS49gHCXtoEQ164lowXjt++2lWsb//b9PVsp6IVmAh0RN
UXQsWSdQtpdlQl30S2OPjPBbmDMPMo1SlIl2M6mlY87IYjfXfTZUtUw5Kfq7UKjH
u/iNxQ64D9Awh9bmvH0z
=6ZWK
-----END PGP SIGNATURE-----

--fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?560C5C79.3080308>