[reactos] 01/01: [LIBTIRPC] Fix CVE-2017-8779 by backporting its fix CORE-13460 - Ros-diffs

15 Oct 2017

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=6808e7d25b8262f70011e5...
commit 6808e7d25b8262f70011e53f3dc46db7aa0813fa
Author: Pierre Schweitzer pierre@reactos.org
AuthorDate: Sun Oct 15 13:54:11 2017 +0200
[LIBTIRPC] Fix CVE-2017-8779 by backporting its fix
    CORE-13460
---
 dll/3rdparty/libtirpc/src/rpc_generic.c | 14 +++++++++
 dll/3rdparty/libtirpc/src/rpcb_prot.c   | 44 +++++++++++++++++++++++++++++
 dll/3rdparty/libtirpc/src/rpcb_st_xdr.c | 19 +++++++++++++
 dll/3rdparty/libtirpc/src/xdr.c         | 50 +++++++++++++++++++++++++++++++++
 4 files changed, 127 insertions(+)

diff --git a/dll/3rdparty/libtirpc/src/rpc_generic.c b/dll/3rdparty/libtirpc/src/rpc_generic.c
index f3bbc73c46..fc646f5bc5 100644
--- a/dll/3rdparty/libtirpc/src/rpc_generic.c
+++ b/dll/3rdparty/libtirpc/src/rpc_generic.c
@@ -679,6 +679,11 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
switch (af) {
    case AF_INET:
+#ifdef __REACTOS__ // CVE-2017-8779
+		if (nbuf->len < sizeof(*sin)) {
+			return NULL;
+		}
+#endif
    	sin = nbuf->buf;
    	if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
    	    == NULL)
@@ -690,6 +695,11 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
    	break;
 #ifdef INET6
    case AF_INET6:
+#ifdef __REACTOS__ // CVE-2017-8779
+		if (nbuf->len < sizeof(*sin6)) {
+			return NULL;
+		}
+#endif
    	sin6 = nbuf->buf;
    	if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
    	    == NULL)
@@ -736,6 +746,10 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
port = 0;
    sin = NULL;
+#ifdef __REACTOS__ // CVE-2017-8779
+	if (uaddr == NULL)
+		return NULL;
+#endif
    addrstr = strdup(uaddr);
    if (addrstr == NULL)
    	return NULL;
diff --git a/dll/3rdparty/libtirpc/src/rpcb_prot.c b/dll/3rdparty/libtirpc/src/rpcb_prot.c
index 0b762d1deb..da4c2d9ada 100644
--- a/dll/3rdparty/libtirpc/src/rpcb_prot.c
+++ b/dll/3rdparty/libtirpc/src/rpcb_prot.c
@@ -42,6 +42,9 @@
 #include <rpc/types.h>
 #include <rpc/xdr.h>
 #include <rpc/rpcb_prot.h>
+#ifdef __REACTOS__ // CVE-2017-8779
+#include "rpc_com.h"
+#endif
bool_t
 xdr_rpcb(xdrs, objp)
@@ -54,6 +57,7 @@ xdr_rpcb(xdrs, objp)
    if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
    	return (FALSE);
    }
+#ifndef __REACTOS__ // CVE-2017-8779
    if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
    	return (FALSE);
    }
@@ -63,6 +67,17 @@ xdr_rpcb(xdrs, objp)
    if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
    	return (FALSE);
    }
+#else
+	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+#endif
    return (TRUE);
 }
@@ -160,21 +175,39 @@ xdr_rpcb_entry(xdrs, objp)
    XDR *xdrs;
    rpcb_entry *objp;
 {
+#ifndef __REACTOS__ // CVE-2017-8779
    if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
    	return (FALSE);
    }
    if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
    	return (FALSE);
    }
+#else
+	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+#endif
    if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
    	return (FALSE);
    }
+#ifndef __REACTOS__ // CVE-2017-8779
    if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
    	return (FALSE);
    }
    if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
    	return (FALSE);
    }
+#else
+	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+		return (FALSE);
+	}
+#endif
    return (TRUE);
 }
@@ -293,7 +326,11 @@ xdr_rpcb_rmtcallres(xdrs, p)
    bool_t dummy;
    struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+#ifdef __REACTOS__ // CVE-2017-8779
+	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+#else
    if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
+#endif
    	return (FALSE);
    }
    if (!xdr_u_int(xdrs, &objp->results.results_len)) {
@@ -313,6 +350,13 @@ xdr_netbuf(xdrs, objp)
    if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
    	return (FALSE);
    }
+#ifdef __REACTOS__ // CVE-2017-8779
+
+	if (objp->maxlen > RPC_MAXDATASIZE) {
+		return (FALSE);
+	}
+
+#endif
    dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
    		(u_int *)&(objp->len), objp->maxlen);
    return (dummy);
diff --git a/dll/3rdparty/libtirpc/src/rpcb_st_xdr.c b/dll/3rdparty/libtirpc/src/rpcb_st_xdr.c
index 6feb70b486..76c0bd1e33 100644
--- a/dll/3rdparty/libtirpc/src/rpcb_st_xdr.c
+++ b/dll/3rdparty/libtirpc/src/rpcb_st_xdr.c
@@ -39,6 +39,9 @@
#include <wintirpc.h>
 #include <rpc/rpc.h>
+#ifdef __REACTOS__ // CVE-2017-8779
+#include "rpc_com.h"
+#endif
/* Link list of all the stats about getport and getaddr */
@@ -60,7 +63,11 @@ xdr_rpcbs_addrlist(xdrs, objp)
        if (!xdr_int(xdrs, &objp->failure)) {
    	return (FALSE);
        }
+#ifdef __REACTOS__ // CVE-2017-8779
+	    if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+#else
        if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+#endif
    	return (FALSE);
        }
@@ -111,7 +118,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
    	IXDR_PUT_INT32(buf, objp->failure);
    	IXDR_PUT_INT32(buf, objp->indirect);
    }
+#ifdef __REACTOS__ // CVE-2017-8779
+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+#else
    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+#endif
    	return (FALSE);
    }
    if (!xdr_pointer(xdrs, (char **)&objp->next,
@@ -149,7 +160,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
    	objp->failure = (int)IXDR_GET_INT32(buf);
    	objp->indirect = (int)IXDR_GET_INT32(buf);
    }
+#ifdef __REACTOS__ // CVE-2017-8779
+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+#else
    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+#endif
    	return (FALSE);
    }
    if (!xdr_pointer(xdrs, (char **)&objp->next,
@@ -177,7 +192,11 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
    if (!xdr_int(xdrs, &objp->indirect)) {
    	return (FALSE);
    }
+#ifdef __REACTOS__ // CVE-2017-8779
+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+#else
    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+#endif
    	return (FALSE);
    }
    if (!xdr_pointer(xdrs, (char **)&objp->next,
diff --git a/dll/3rdparty/libtirpc/src/xdr.c b/dll/3rdparty/libtirpc/src/xdr.c
index 85396b3420..7804a2bdb9 100644
--- a/dll/3rdparty/libtirpc/src/xdr.c
+++ b/dll/3rdparty/libtirpc/src/xdr.c
@@ -44,8 +44,14 @@
 #include <stdlib.h>
 #include <string.h>
+#ifdef __REACTOS__ // CVE-2017-8779
+#include <rpc/rpc.h>
+#endif
 #include <rpc/types.h>
 #include <rpc/xdr.h>
+#ifdef __REACTOS__ // CVE-2017-8779
+#include <rpc/rpc_com.h>
+#endif
typedef quad_t          longlong_t;     /* ANSI long long type */
 typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
@@ -55,7 +61,9 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
  */
 #define XDR_FALSE	((long) 0)
 #define XDR_TRUE	((long) 1)
+#ifndef __REACTOS__ // CVE-2017-8779
 #define LASTUNSIGNED	((u_int) 0-1)
+#endif
/*
  * for unit alignment
@@ -533,6 +541,9 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
 {
    char *sp = *cpp;  /* sp is the actual string pointer */
    u_int nodesize;
+#ifdef __REACTOS__ // CVE-2017-8779
+	bool_t ret, allocated = FALSE;
+#endif
/*
     * first deal with the length since xdr bytes are counted
@@ -556,6 +567,9 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
    	}
    	if (sp == NULL) {
    		*cpp = sp = mem_alloc(nodesize);
+#ifdef __REACTOS__ // CVE-2017-8779
+			allocated = TRUE;
+#endif
    	}
    	if (sp == NULL) {
    		//warnx("xdr_bytes: out of memory");
@@ -564,7 +578,18 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
    	/* FALLTHROUGH */
case XDR_ENCODE:
+#ifndef __REACTOS__ // CVE-2017-8779
    	return (xdr_opaque(xdrs, sp, nodesize));
+#else
+		ret = xdr_opaque(xdrs, sp, nodesize);
+		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+			if (allocated == TRUE) {
+				free(sp);
+				*cpp = NULL;
+			}
+		}
+		return (ret);
+#endif
case XDR_FREE:
    	if (sp != NULL) {
@@ -658,6 +683,9 @@ xdr_string(xdrs, cpp, maxsize)
    char *sp = *cpp;  /* sp is the actual string pointer */
    u_int size;
    u_int nodesize;
+#ifdef __REACTOS__ // CVE-2017-8779
+	bool_t ret, allocated = FALSE;
+#endif
/*
     * first deal with the length since xdr strings are counted-strings
@@ -697,8 +725,15 @@ xdr_string(xdrs, cpp, maxsize)
    switch (xdrs->x_op) {
case XDR_DECODE:
+#ifndef __REACTOS__ // CVE-2017-8779
    	if (sp == NULL)
    		*cpp = sp = mem_alloc(nodesize);
+#else
+		if (sp == NULL) {
+			*cpp = sp = mem_alloc(nodesize);
+			allocated = TRUE;
+		}
+#endif
    	if (sp == NULL) {
    		//warnx("xdr_string: out of memory");
    		return (FALSE);
@@ -707,7 +742,18 @@ xdr_string(xdrs, cpp, maxsize)
    	/* FALLTHROUGH */
case XDR_ENCODE:
+#ifndef __REACTOS__ // CVE-2017-8779
    	return (xdr_opaque(xdrs, sp, size));
+#else
+		ret = xdr_opaque(xdrs, sp, size);
+		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+			if (allocated == TRUE) {
+				free(sp);
+				*cpp = NULL;
+			}
+		}
+		return (ret);
+#endif
case XDR_FREE:
    	mem_free(sp, nodesize);
@@ -727,7 +773,11 @@ xdr_wrapstring(xdrs, cpp)
    XDR *xdrs;
    char **cpp;
 {
+#ifdef __REACTOS__ // CVE-2017-8779
+	return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+#else
    return xdr_string(xdrs, cpp, LASTUNSIGNED);
+#endif
 }
/*

    