From owner-dev-commits-src-all@freebsd.org Mon Feb 1 17:26:11 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EA4A95307A1; Mon, 1 Feb 2021 17:26:11 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DTvxH64gVz4Sgx; Mon, 1 Feb 2021 17:26:11 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mail-wr1-x435.google.com with SMTP id g10so17496666wrx.1; Mon, 01 Feb 2021 09:26:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to; bh=dX8xAAO4C4f7Cya1TWNvn2ZKMoTfiFZLn8fxDBfrGUA=; b=oKsw26hTroXVGbeHBFKU0VDajjuucAFT/K26rl1xTy2SawVjhIqJBcKdLCpYIl1Z7X OZAJh4VvMGiOrY4aEJip/pb8ZUBi30i+IThEOgdsAejXDmLSaMtjPNkfWEcdzzqlCNeH aOt9SmjbrK3nbkL4R5Y7luXxVEIi/GKjhCHBysPj7kVFV8GnIUqzVJyn8MO25EjQWelo VlF8i6KTHCxnwC+MoitmgGCTKPrN8SZzlie7vBjzHyKAyykhxXd8X4F1As7xzuHV4rgL vKaqpTdWYmqyPvy7khcwg9pROuSk8uH59lSW3sg1rxDZ75UpQ6dk5K1dCWmm9bsHyJ9v UpFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=dX8xAAO4C4f7Cya1TWNvn2ZKMoTfiFZLn8fxDBfrGUA=; b=NkX9dG/0nfmlCQ6/pamdXs0nKjlpjLg11m/2hMWB57ZFS2dIzm/aVNGKZ+t1qzvnab WWpWXDNwofwSA3ob1nTOTDD+1GToLteGIQvxoubzbcC9eUpzNsbmLHNU58tYDMUST2+h ainnI+uEIctDGHDSBzMTMueDC+kbwC8W437bOk8y+4scv319jjWBiJXTMLYbfVuSSO4w 1CLRlJLCGUBgkddDfn4UXRl7IaI0dCQ3VjyVpDK8vjS9nXAFgTsK1evQzZMvE9rV27OW xvP9I/pgRNuy4M50YcAOyPlG/xjaBLVx98N1haRiZYr30XSeSSD8jdOXNS/phkZ/5A42 lqJA== X-Gm-Message-State: AOAM533eeyG6Y4EL+xV3RNxKXzaMysVf9Ts7ELs82ukpc4Jw3j4C2CRC nJLL4pM1k149Tt/AhH3FujlbnOJrPdM= X-Google-Smtp-Source: ABdhPJx3UCkT4pMKjnliwJbx8BD0R1w+rOq8SXQlfR/APk/xJmy8LgoEX9Di1lQ088GSONqdOVkpGw== X-Received: by 2002:adf:80c8:: with SMTP id 66mr4546429wrl.344.1612200370152; Mon, 01 Feb 2021 09:26:10 -0800 (PST) Received: from brick (cpc159423-cmbg20-2-0-cust338.5-4.cable.virginm.net. [86.7.147.83]) by smtp.gmail.com with ESMTPSA id o14sm26427984wri.48.2021.02.01.09.26.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Feb 2021 09:26:08 -0800 (PST) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Date: Mon, 1 Feb 2021 17:26:07 +0000 From: Edward Tomasz Napierala To: Shawn Webb Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 5299d64b2b9f - main - libc: fix buffer overrun in getrpcport(3) Message-ID: Mail-Followup-To: Shawn Webb , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org References: <202101312143.10VLhfV5025431@gitrepo.freebsd.org> <20210131215556.eautrr6esynyic6f@mutt-hbsd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210131215556.eautrr6esynyic6f@mutt-hbsd> X-Rspamd-Queue-Id: 4DTvxH64gVz4Sgx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2021 17:26:12 -0000 On 0131T1655, Shawn Webb wrote: > On Sun, Jan 31, 2021 at 09:43:41PM +0000, Edward Tomasz Napierala wrote: > > The branch main has been updated by trasz: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=5299d64b2b9f7a25e423ef1785d9402a0ef198d3 > > > > commit 5299d64b2b9f7a25e423ef1785d9402a0ef198d3 > > Author: Edward Tomasz Napierala > > AuthorDate: 2021-01-31 21:41:55 +0000 > > Commit: Edward Tomasz Napierala > > CommitDate: 2021-01-31 21:42:02 +0000 > > > > libc: fix buffer overrun in getrpcport(3) > > > > Reviewed By: markj > > Sponsored by: NetApp, Inc. > > Sponsored by: Klara, Inc. > > Differential Revision: https://reviews.freebsd.org/D27332 > > --- > > lib/libc/rpc/getrpcport.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/lib/libc/rpc/getrpcport.c b/lib/libc/rpc/getrpcport.c > > index 2b2d459c8887..4abc9a0c16af 100644 > > --- a/lib/libc/rpc/getrpcport.c > > +++ b/lib/libc/rpc/getrpcport.c > > @@ -62,14 +62,14 @@ getrpcport(char *host, int prognum, int versnum, int proto) > > > > assert(host != NULL); > > > > - if ((hp = gethostbyname(host)) == NULL) > > + if ((hp = gethostbyname2(host, AF_INET)) == NULL) > > return (0); > > memset(&addr, 0, sizeof(addr)); > > addr.sin_len = sizeof(struct sockaddr_in); > > addr.sin_family = AF_INET; > > addr.sin_port = 0; > > - if (hp->h_length > addr.sin_len) > > - hp->h_length = addr.sin_len; > > + if (hp->h_length > sizeof(addr.sin_addr.s_addr)) > > + hp->h_length = sizeof(addr.sin_addr.s_addr); > > memcpy(&addr.sin_addr.s_addr, hp->h_addr, (size_t)hp->h_length); > > /* Inconsistent interfaces need casts! :-( */ > > return (pmap_getport(&addr, (u_long)prognum, (u_long)versnum, > > Does a fix like this need to get a security advisory report? Also, any > plans to MFC? Sorry, I should have used a better commit message... I don't think this is exploitable, or even triggerable - from my understanding, the gethostbyname(3) function cannot return non-AF_INET address, unless some internal resolver option has been set, which none of the programs using getrpcport(3) seems to do.