From owner-svn-src-releng@freebsd.org  Tue Sep 29 18:07:21 2015
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8125A0B3B5;
 Tue, 29 Sep 2015 18:07:21 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A69C211B8;
 Tue, 29 Sep 2015 18:07:21 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8TI7LG2006188;
 Tue, 29 Sep 2015 18:07:21 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8TI7JWC006177;
 Tue, 29 Sep 2015 18:07:19 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201509291807.t8TI7JWC006177@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Tue, 29 Sep 2015 18:07:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r288385 - in releng: 10.1 10.1/sys/conf
 10.1/usr.sbin/rpcbind 10.2 10.2/sys/conf 10.2/usr.sbin/rpcbind 9.3
 9.3/sys/conf 9.3/usr.sbin/rpcbind
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 18:07:21 -0000

Author: delphij
Date: Tue Sep 29 18:07:18 2015
New Revision: 288385
URL: https://svnweb.freebsd.org/changeset/base/288385

Log:
  The Sun RPC framework uses a netbuf structure to represent the
  transport specific form of a universal transport address.  The
  structure is expected to be opaque to consumers.  In the current
  implementation, the structure contains a pointer to a buffer
  that holds the actual address.
  
  In rpcbind(8), netbuf structures are copied directly, which would
  result in two netbuf structures that reference to one shared
  address buffer.  When one of the two netbuf structures is freed,
  access to the other netbuf structure would result in an undefined
  result that may crash the rpcbind(8) daemon.
  
  Fix this by making a copy of the buffer that is going to be freed
  instead of doing a shallow copy.
  
  Security:	FreeBSD-SA-15:24.rpcbind
  Security:	CVE-2015-7236
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c
  releng/10.2/UPDATING
  releng/10.2/sys/conf/newvers.sh
  releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c
  releng/9.3/UPDATING
  releng/9.3/sys/conf/newvers.sh
  releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.1/UPDATING	Tue Sep 29 18:07:18 2015	(r288385)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150929:	p21	FreeBSD-SA-15:24.rpcbind
+
+	Fix rpcbind(8) remote denial of service. [SA-15:24]
+
 20150916:	p20	FreeBSD-EN-15:18.pkg
 
 	Implement pubkey support for pkg(7) bootstrap. [EN-15:18]

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.1/sys/conf/newvers.sh	Tue Sep 29 18:07:18 2015	(r288385)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p20"
+BRANCH="RELEASE-p21"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:07:18 2015	(r288385)
@@ -48,6 +48,7 @@
 #include <rpc/rpc.h>
 #include <rpc/rpcb_prot.h>
 #include <rpc/svc_dg.h>
+#include <assert.h>
 #include <netconfig.h>
 #include <errno.h>
 #include <syslog.h>
@@ -1048,19 +1049,31 @@ netbufcmp(struct netbuf *n1, struct netb
 	return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len));
 }
 
+static bool_t
+netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
+{
+
+	assert(dst->buf == NULL);
+
+	if ((dst->buf = malloc(src->len)) == NULL)
+		return (FALSE);
+
+	dst->maxlen = dst->len = src->len;
+	memcpy(dst->buf, src->buf, src->len);
+	return (TRUE);
+}
+
 static struct netbuf *
 netbufdup(struct netbuf *ap)
 {
 	struct netbuf  *np;
 
-	if ((np = malloc(sizeof(struct netbuf))) == NULL)
+	if ((np = calloc(1, sizeof(struct netbuf))) == NULL)
 		return (NULL);
-	if ((np->buf = malloc(ap->len)) == NULL) {
+	if (netbuf_copybuf(np, ap) == FALSE) {
 		free(np);
 		return (NULL);
 	}
-	np->maxlen = np->len = ap->len;
-	memcpy(np->buf, ap->buf, ap->len);
 	return (np);
 }
 
@@ -1068,6 +1081,7 @@ static void
 netbuffree(struct netbuf *ap)
 {
 	free(ap->buf);
+	ap->buf = NULL;
 	free(ap);
 }
 
@@ -1185,7 +1199,7 @@ xprt_set_caller(SVCXPRT *xprt, struct fi
 {
 	u_int32_t *xidp;
 
-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+	netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr);
 	xidp = __rpcb_get_dg_xidp(xprt);
 	*xidp = fi->caller_xid;
 }

Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.2/UPDATING	Tue Sep 29 18:07:18 2015	(r288385)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150929:	p4	FreeBSD-SA-15:24.rpcbind
+
+	Fix rpcbind(8) remote denial of service. [SA-15:24]
+
 20150916:	p3	FreeBSD-EN-15:16.pw
 			FreeBSD-EN-15:17.libc
 			FreeBSD-EN-15:18.pkg

Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.2/sys/conf/newvers.sh	Tue Sep 29 18:07:18 2015	(r288385)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:07:18 2015	(r288385)
@@ -48,6 +48,7 @@
 #include <rpc/rpc.h>
 #include <rpc/rpcb_prot.h>
 #include <rpc/svc_dg.h>
+#include <assert.h>
 #include <netconfig.h>
 #include <errno.h>
 #include <syslog.h>
@@ -1048,19 +1049,31 @@ netbufcmp(struct netbuf *n1, struct netb
 	return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len));
 }
 
+static bool_t
+netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
+{
+
+	assert(dst->buf == NULL);
+
+	if ((dst->buf = malloc(src->len)) == NULL)
+		return (FALSE);
+
+	dst->maxlen = dst->len = src->len;
+	memcpy(dst->buf, src->buf, src->len);
+	return (TRUE);
+}
+
 static struct netbuf *
 netbufdup(struct netbuf *ap)
 {
 	struct netbuf  *np;
 
-	if ((np = malloc(sizeof(struct netbuf))) == NULL)
+	if ((np = calloc(1, sizeof(struct netbuf))) == NULL)
 		return (NULL);
-	if ((np->buf = malloc(ap->len)) == NULL) {
+	if (netbuf_copybuf(np, ap) == FALSE) {
 		free(np);
 		return (NULL);
 	}
-	np->maxlen = np->len = ap->len;
-	memcpy(np->buf, ap->buf, ap->len);
 	return (np);
 }
 
@@ -1068,6 +1081,7 @@ static void
 netbuffree(struct netbuf *ap)
 {
 	free(ap->buf);
+	ap->buf = NULL;
 	free(ap);
 }
 
@@ -1185,7 +1199,7 @@ xprt_set_caller(SVCXPRT *xprt, struct fi
 {
 	u_int32_t *xidp;
 
-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+	netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr);
 	xidp = __rpcb_get_dg_xidp(xprt);
 	*xidp = fi->caller_xid;
 }

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/9.3/UPDATING	Tue Sep 29 18:07:18 2015	(r288385)
@@ -11,6 +11,10 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20150929:	p27	FreeBSD-SA-15:24.rpcbind
+
+	Fix rpcbind(8) remote denial of service. [SA-15:24]
+
 20150916:	p26	FreeBSD-EN-15:18.pkg
 
 	Implement pubkey support for pkg(7) bootstrap. [EN-15:18]

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/9.3/sys/conf/newvers.sh	Tue Sep 29 18:07:18 2015	(r288385)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p26"
+BRANCH="RELEASE-p27"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:06:27 2015	(r288384)
+++ releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c	Tue Sep 29 18:07:18 2015	(r288385)
@@ -48,6 +48,7 @@
 #include <rpc/rpc.h>
 #include <rpc/rpcb_prot.h>
 #include <rpc/svc_dg.h>
+#include <assert.h>
 #include <netconfig.h>
 #include <errno.h>
 #include <syslog.h>
@@ -1048,19 +1049,31 @@ netbufcmp(struct netbuf *n1, struct netb
 	return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len));
 }
 
+static bool_t
+netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
+{
+
+	assert(dst->buf == NULL);
+
+	if ((dst->buf = malloc(src->len)) == NULL)
+		return (FALSE);
+
+	dst->maxlen = dst->len = src->len;
+	memcpy(dst->buf, src->buf, src->len);
+	return (TRUE);
+}
+
 static struct netbuf *
 netbufdup(struct netbuf *ap)
 {
 	struct netbuf  *np;
 
-	if ((np = malloc(sizeof(struct netbuf))) == NULL)
+	if ((np = calloc(1, sizeof(struct netbuf))) == NULL)
 		return (NULL);
-	if ((np->buf = malloc(ap->len)) == NULL) {
+	if (netbuf_copybuf(np, ap) == FALSE) {
 		free(np);
 		return (NULL);
 	}
-	np->maxlen = np->len = ap->len;
-	memcpy(np->buf, ap->buf, ap->len);
 	return (np);
 }
 
@@ -1068,6 +1081,7 @@ static void
 netbuffree(struct netbuf *ap)
 {
 	free(ap->buf);
+	ap->buf = NULL;
 	free(ap);
 }
 
@@ -1185,7 +1199,7 @@ xprt_set_caller(SVCXPRT *xprt, struct fi
 {
 	u_int32_t *xidp;
 
-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+	netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr);
 	xidp = __rpcb_get_dg_xidp(xprt);
 	*xidp = fi->caller_xid;
 }

From owner-svn-src-releng@freebsd.org  Fri Oct  2 16:37:09 2015
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86674A0EEB1;
 Fri,  2 Oct 2015 16:37:09 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 74CA712C3;
 Fri,  2 Oct 2015 16:37:09 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t92Gb93T082680;
 Fri, 2 Oct 2015 16:37:09 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t92Gb6Wg082669;
 Fri, 2 Oct 2015 16:37:06 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201510021637.t92Gb6Wg082669@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 2 Oct 2015 16:37:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r288512 - in releng: 10.1 10.1/sys/conf
 10.1/usr.sbin/rpcbind 10.2 10.2/sys/conf 10.2/usr.sbin/rpcbind 9.3
 9.3/sys/conf 9.3/usr.sbin/rpcbind
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2015 16:37:09 -0000

Author: delphij
Date: Fri Oct  2 16:37:06 2015
New Revision: 288512
URL: https://svnweb.freebsd.org/changeset/base/288512

Log:
  Fix a regression with SA-15:24 patch that prevented NIS from
  working.
  
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c
  releng/10.2/UPDATING
  releng/10.2/sys/conf/newvers.sh
  releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c
  releng/9.3/UPDATING
  releng/9.3/sys/conf/newvers.sh
  releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.1/UPDATING	Fri Oct  2 16:37:06 2015	(r288512)
@@ -16,6 +16,9 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20151002:	p22	FreeBSD-SA-15:24.rpcbind [revised]
+	Revised patch to address a regression that prevents NIS from working.
+
 20150929:	p21	FreeBSD-SA-15:24.rpcbind
 
 	Fix rpcbind(8) remote denial of service. [SA-15:24]

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.1/sys/conf/newvers.sh	Fri Oct  2 16:37:06 2015	(r288512)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p21"
+BRANCH="RELEASE-p22"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.1/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:37:06 2015	(r288512)
@@ -1053,12 +1053,15 @@ static bool_t
 netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
 {
 
-	assert(dst->buf == NULL);
+	if (dst->len != src->len || dst->buf == NULL) {
+		if (dst->buf != NULL)
+			free(dst->buf);
+		if ((dst->buf = malloc(src->len)) == NULL)
+			return (FALSE);
 
-	if ((dst->buf = malloc(src->len)) == NULL)
-		return (FALSE);
+		dst->maxlen = dst->len = src->len;
+	}
 
-	dst->maxlen = dst->len = src->len;
 	memcpy(dst->buf, src->buf, src->len);
 	return (TRUE);
 }

Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.2/UPDATING	Fri Oct  2 16:37:06 2015	(r288512)
@@ -16,6 +16,9 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20151002:	p5	FreeBSD-SA-15:24.rpcbind [revised]
+	Revised patch to address a regression that prevents NIS from working.
+
 20150929:	p4	FreeBSD-SA-15:24.rpcbind
 
 	Fix rpcbind(8) remote denial of service. [SA-15:24]

Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.2/sys/conf/newvers.sh	Fri Oct  2 16:37:06 2015	(r288512)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/10.2/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:37:06 2015	(r288512)
@@ -1053,12 +1053,15 @@ static bool_t
 netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
 {
 
-	assert(dst->buf == NULL);
+	if (dst->len != src->len || dst->buf == NULL) {
+		if (dst->buf != NULL)
+			free(dst->buf);
+		if ((dst->buf = malloc(src->len)) == NULL)
+			return (FALSE);
 
-	if ((dst->buf = malloc(src->len)) == NULL)
-		return (FALSE);
+		dst->maxlen = dst->len = src->len;
+	}
 
-	dst->maxlen = dst->len = src->len;
 	memcpy(dst->buf, src->buf, src->len);
 	return (TRUE);
 }

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/9.3/UPDATING	Fri Oct  2 16:37:06 2015	(r288512)
@@ -11,6 +11,9 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20151002:	p28	FreeBSD-SA-15:24.rpcbind [revised]
+	Revised patch to address a regression that prevents NIS from working.
+
 20150929:	p27	FreeBSD-SA-15:24.rpcbind
 
 	Fix rpcbind(8) remote denial of service. [SA-15:24]

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/9.3/sys/conf/newvers.sh	Fri Oct  2 16:37:06 2015	(r288512)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p27"
+BRANCH="RELEASE-p28"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c
==============================================================================
--- releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:36:16 2015	(r288511)
+++ releng/9.3/usr.sbin/rpcbind/rpcb_svc_com.c	Fri Oct  2 16:37:06 2015	(r288512)
@@ -1053,12 +1053,15 @@ static bool_t
 netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
 {
 
-	assert(dst->buf == NULL);
+	if (dst->len != src->len || dst->buf == NULL) {
+		if (dst->buf != NULL)
+			free(dst->buf);
+		if ((dst->buf = malloc(src->len)) == NULL)
+			return (FALSE);
 
-	if ((dst->buf = malloc(src->len)) == NULL)
-		return (FALSE);
+		dst->maxlen = dst->len = src->len;
+	}
 
-	dst->maxlen = dst->len = src->len;
 	memcpy(dst->buf, src->buf, src->len);
 	return (TRUE);
 }