diff options
author | Doran Moppert <dmoppert@redhat.com> | 2017-05-11 11:42:54 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2017-05-11 11:47:52 -0400 |
commit | 7ea36eeece56b59f98e469934e4c20b4da043346 (patch) | |
tree | 7622fb94a23816d71286f00bdaf41b20bf2016d7 /src/rpcb_svc.c | |
parent | ee569be4d6189a68b38d2af162af00ff475b48e2 (diff) | |
download | rpcbind-7ea36eeece56b59f98e469934e4c20b4da043346.tar.gz |
rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leakrpcbind-0_2_5-rc1
This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
at [1], [2], [3]. The last link suggests this issue is actually a bug
in rpcbind, which led me here.
The leak caused by the reproducer at [4] appears to come from
rpcb_service_4(), in the case where svc_getargs() returns false and the
function had an early return, rather than passing through the cleanup
path at done:, as would otherwise occur.
It also addresses a couple of other locations where the same fault seems
to exist, though I haven't been able to exercise those. I hope someone
more intimate with rpc(3) can confirm my understanding is correct, and
that I haven't introduced any new bugs.
Without this patch, using the reproducer (and variants) repeatedly
against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
rpcbind)/status reports VmSize increase of 976564 kB each call, and
VmRSS increase of around 260 kB every 33 calls - the specific numbers
are probably an artifact of my rhel/glibc version. With the patch,
there is a small (~50 kB) VmSize increase with the first message, but
thereafter both VmSize and VmRSS remain steady.
[1]: http://seclists.org/oss-sec/2017/q2/209
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
[4]: https://github.com/guidovranken/rpcbomb/
Signed-off-by: Doran Moppert <dmoppert@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'src/rpcb_svc.c')
-rw-r--r-- | src/rpcb_svc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c index 709e3fb..091f530 100644 --- a/src/rpcb_svc.c +++ b/src/rpcb_svc.c @@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) svcerr_decode(transp); if (debugging) (void) xlog(LOG_DEBUG, "rpcbind: could not decode"); - return; + goto done; } if (rqstp->rq_proc == RPCBPROC_SET |