rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leakrpcbind-0_2_5-rc1

This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
at [1], [2], [3].  The last link suggests this issue is actually a bug
in rpcbind, which led me here.

The leak caused by the reproducer at [4] appears to come from
rpcb_service_4(), in the case where svc_getargs() returns false and the
function had an early return, rather than passing through the cleanup
path at done:, as would otherwise occur.

It also addresses a couple of other locations where the same fault seems
to exist, though I haven't been able to exercise those.  I hope someone
more intimate with rpc(3) can confirm my understanding is correct, and
that I haven't introduced any new bugs.

Without this patch, using the reproducer (and variants) repeatedly
against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
rpcbind)/status reports VmSize increase of 976564 kB each call, and
VmRSS increase of around 260 kB every 33 calls - the specific numbers
are probably an artifact of my rhel/glibc version.  With the patch,
there is a small (~50 kB) VmSize increase with the first message, but
thereafter both VmSize and VmRSS remain steady.

[1]: http://seclists.org/oss-sec/2017/q2/209
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
[4]: https://github.com/guidovranken/rpcbomb/

Signed-off-by: Doran Moppert <dmoppert@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
index 709e3fb..091f530 100644
--- a/src/rpcb_svc.c
+++ b/src/rpcb_svc.c
@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
 		svcerr_decode(transp);
 		if (debugging)
 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
-		return;
+		goto done;
 	}
 
 	if (rqstp->rq_proc == RPCBPROC_SET