Date: Mon, 1 Feb 2021 17:26:07 +0000 From: Edward Tomasz Napierala <trasz@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 5299d64b2b9f - main - libc: fix buffer overrun in getrpcport(3) Message-ID: <YBg5r3eKF1KWSPJ/@brick> In-Reply-To: <20210131215556.eautrr6esynyic6f@mutt-hbsd> References: <202101312143.10VLhfV5025431@gitrepo.freebsd.org> <20210131215556.eautrr6esynyic6f@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 0131T1655, Shawn Webb wrote: > On Sun, Jan 31, 2021 at 09:43:41PM +0000, Edward Tomasz Napierala wrote: > > The branch main has been updated by trasz: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=5299d64b2b9f7a25e423ef1785d9402a0ef198d3 > > > > commit 5299d64b2b9f7a25e423ef1785d9402a0ef198d3 > > Author: Edward Tomasz Napierala <trasz@FreeBSD.org> > > AuthorDate: 2021-01-31 21:41:55 +0000 > > Commit: Edward Tomasz Napierala <trasz@FreeBSD.org> > > CommitDate: 2021-01-31 21:42:02 +0000 > > > > libc: fix buffer overrun in getrpcport(3) > > > > Reviewed By: markj > > Sponsored by: NetApp, Inc. > > Sponsored by: Klara, Inc. > > Differential Revision: https://reviews.freebsd.org/D27332 > > --- > > lib/libc/rpc/getrpcport.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/lib/libc/rpc/getrpcport.c b/lib/libc/rpc/getrpcport.c > > index 2b2d459c8887..4abc9a0c16af 100644 > > --- a/lib/libc/rpc/getrpcport.c > > +++ b/lib/libc/rpc/getrpcport.c > > @@ -62,14 +62,14 @@ getrpcport(char *host, int prognum, int versnum, int proto) > > > > assert(host != NULL); > > > > - if ((hp = gethostbyname(host)) == NULL) > > + if ((hp = gethostbyname2(host, AF_INET)) == NULL) > > return (0); > > memset(&addr, 0, sizeof(addr)); > > addr.sin_len = sizeof(struct sockaddr_in); > > addr.sin_family = AF_INET; > > addr.sin_port = 0; > > - if (hp->h_length > addr.sin_len) > > - hp->h_length = addr.sin_len; > > + if (hp->h_length > sizeof(addr.sin_addr.s_addr)) > > + hp->h_length = sizeof(addr.sin_addr.s_addr); > > memcpy(&addr.sin_addr.s_addr, hp->h_addr, (size_t)hp->h_length); > > /* Inconsistent interfaces need casts! :-( */ > > return (pmap_getport(&addr, (u_long)prognum, (u_long)versnum, > > Does a fix like this need to get a security advisory report? Also, any > plans to MFC? Sorry, I should have used a better commit message... I don't think this is exploitable, or even triggerable - from my understanding, the gethostbyname(3) function cannot return non-AF_INET address, unless some internal resolver option has been set, which none of the programs using getrpcport(3) seems to do.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YBg5r3eKF1KWSPJ/>