diff options
| author | Doran Moppert <dmoppert@redhat.com> | 2017-05-11 11:42:54 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2017-05-11 11:47:52 -0400 |
| commit | 7ea36eeece56b59f98e469934e4c20b4da043346 (patch) | |
| tree | 7622fb94a23816d71286f00bdaf41b20bf2016d7 /src/rpcb_svc_com.c | |
| parent | ee569be4d6189a68b38d2af162af00ff475b48e2 (diff) | |
| download | rpcbind-7ea36eeece56b59f98e469934e4c20b4da043346.tar.gz | |
rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leakrpcbind-0_2_5-rc1
This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
at [1], [2], [3]. The last link suggests this issue is actually a bug
in rpcbind, which led me here.
The leak caused by the reproducer at [4] appears to come from
rpcb_service_4(), in the case where svc_getargs() returns false and the
function had an early return, rather than passing through the cleanup
path at done:, as would otherwise occur.
It also addresses a couple of other locations where the same fault seems
to exist, though I haven't been able to exercise those. I hope someone
more intimate with rpc(3) can confirm my understanding is correct, and
that I haven't introduced any new bugs.
Without this patch, using the reproducer (and variants) repeatedly
against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
rpcbind)/status reports VmSize increase of 976564 kB each call, and
VmRSS increase of around 260 kB every 33 calls - the specific numbers
are probably an artifact of my rhel/glibc version. With the patch,
there is a small (~50 kB) VmSize increase with the first message, but
thereafter both VmSize and VmRSS remain steady.
[1]: http://seclists.org/oss-sec/2017/q2/209
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
[4]: https://github.com/guidovranken/rpcbomb/
Signed-off-by: Doran Moppert <dmoppert@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'src/rpcb_svc_com.c')
| -rw-r--r-- | src/rpcb_svc_com.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c index 5862c26..cb63afd 100644 --- a/src/rpcb_svc_com.c +++ b/src/rpcb_svc_com.c @@ -927,6 +927,14 @@ error: if (call_msg.rm_xid != 0) (void) free_slot_by_xid(call_msg.rm_xid); out: + if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { + if (debugging) { + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); + if (doabort) { + rpcbind_abort(); + } + } + } if (local_uaddr) free(local_uaddr); if (buf_alloc) |