libtirpc: Fix CVE-2017-8779

This vulnerability is also called "rpcbomb". Backport upstream patch to fix this vulnerability. CVE: CVE-2017-8779 (From OE-Core rev: d10edb97f0a7d6952adf9e0dbb6b4d5c0d168195) Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Fan Xin <fan.xin@jp.fujitsu.com> 2017-06-07 17:29:03 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-09 17:12:15 +0100
commit: 78568b3a377f7a981fa32162370341556b1c4940 (patch)
tree: 5d8273e6f15384360d4904e38be2cc39f151e3e3 /meta/recipes-extended/libtirpc
parent: 68e25dfade6bd00b1c7186ffc8aa944e9b1bf28a (diff)
download: poky-78568b3a377f7a981fa32162370341556b1c4940.tar.gz
2 files changed, 277 insertions, 0 deletions
diff --git a/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch
new file mode 100644
index 0000000000..b3bae675ee
--- /dev/null
+++ b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch
@@ -0,0 +1,276 @@
+From dd9c7cf4f8f375c6d641b760d124650c418c2ce3 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 15 May 2017 11:12:21 -0400
+Subject: [PATCH] Fix for CVE-2017-8779
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/rpc_generic.c |  8 ++++++++
+ src/rpcb_prot.c   | 22 ++++++++++++++--------
+ src/rpcb_st_xdr.c |  9 +++++----
+ src/xdr.c         | 30 +++++++++++++++++++++++++-----
+ 4 files changed, 52 insertions(+), 17 deletions(-)
+CVE: CVE-2017-8779
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+diff --git a/src/rpc_generic.c b/src/rpc_generic.c
+index 2f09a8f..589cbd5 100644
+--- a/src/rpc_generic.c
+++ b/src/rpc_generic.c
+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 
+        switch (af) {
+        case AF_INET:
+               if (nbuf->len < sizeof(*sin)) {
+                       return NULL;
+               }
+                sin = nbuf->buf;
+                if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
+                    == NULL)
+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+                break;
+ #ifdef INET6
+        case AF_INET6:
+               if (nbuf->len < sizeof(*sin6)) {
+                       return NULL;
+               }
+                sin6 = nbuf->buf;
+                if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
+                    == NULL)
+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
+ 
+        port = 0;
+        sin = NULL;
+       if (uaddr == NULL)
+               return NULL;
+        addrstr = strdup(uaddr);
+        if (addrstr == NULL)
+                return NULL;
+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
+index 43fd385..a923c8e 100644
+--- a/src/rpcb_prot.c
+++ b/src/rpcb_prot.c
+@@ -41,6 +41,7 @@
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+ #include <rpc/rpcb_prot.h>
+#include "rpc_com.h"
+ 
+ bool_t
+ xdr_rpcb(xdrs, objp)
+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
+        if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        return (TRUE);
+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
+        XDR *xdrs;
+        rpcb_entry *objp;
+ {
+-       if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        return (TRUE);
+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
+        bool_t dummy;
+        struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+ 
+-       if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        if (!xdr_u_int(xdrs, &objp->results.results_len)) {
+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
+        if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
+                return (FALSE);
+        }
+
+       if (objp->maxlen > RPC_MAXDATASIZE) {
+               return (FALSE);
+       }
+
+        dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
+                        (u_int *)&(objp->len), objp->maxlen);
+        return (dummy);
+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
+index 08db745..28e6a48 100644
+--- a/src/rpcb_st_xdr.c
+++ b/src/rpcb_st_xdr.c
+@@ -37,6 +37,7 @@
+ 
+ 
+ #include <rpc/rpc.h>
+#include "rpc_com.h"
+ 
+ /* Link list of all the stats about getport and getaddr */
+ 
+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
+            if (!xdr_int(xdrs, &objp->failure)) {
+                return (FALSE);
+            }
+-           if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+           if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+            }
+ 
+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+                IXDR_PUT_INT32(buf, objp->failure);
+                IXDR_PUT_INT32(buf, objp->indirect);
+        }
+-       if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+                objp->failure = (int)IXDR_GET_INT32(buf);
+                objp->indirect = (int)IXDR_GET_INT32(buf);
+        }
+-       if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+        if (!xdr_int(xdrs, &objp->indirect)) {
+                return (FALSE);
+        }
+-       if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
+       if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+                return (FALSE);
+        }
+        if (!xdr_pointer(xdrs, (char **)&objp->next,
+diff --git a/src/xdr.c b/src/xdr.c
+index f3fb9ad..b9a1558 100644
+--- a/src/xdr.c
+++ b/src/xdr.c
+@@ -42,8 +42,10 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
+#include <rpc/rpc.h>
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+#include <rpc/rpc_com.h>
+ 
+ typedef quad_t          longlong_t;     /* ANSI long long type */
+ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+  */
+ #define XDR_FALSE      ((long) 0)
+ #define XDR_TRUE       ((long) 1)
+-#define LASTUNSIGNED   ((u_int) 0-1)
+ 
+ /*
+  * for unit alignment
+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ {
+        char *sp = *cpp;  /* sp is the actual string pointer */
+        u_int nodesize;
+       bool_t ret, allocated = FALSE;
+ 
+        /*
+         * first deal with the length since xdr bytes are counted
+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+                }
+                if (sp == NULL) {
+                        *cpp = sp = mem_alloc(nodesize);
+                       allocated = TRUE;
+                }
+                if (sp == NULL) {
+                        warnx("xdr_bytes: out of memory");
+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+                /* FALLTHROUGH */
+ 
+        case XDR_ENCODE:
+-               return (xdr_opaque(xdrs, sp, nodesize));
+               ret = xdr_opaque(xdrs, sp, nodesize);
+               if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+                       if (allocated == TRUE) {
+                               free(sp);
+                               *cpp = NULL;
+                       }
+               }
+               return (ret);
+ 
+        case XDR_FREE:
+                if (sp != NULL) {
+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
+        char *sp = *cpp;  /* sp is the actual string pointer */
+        u_int size;
+        u_int nodesize;
+       bool_t ret, allocated = FALSE;
+ 
+        /*
+         * first deal with the length since xdr strings are counted-strings
+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
+        switch (xdrs->x_op) {
+ 
+        case XDR_DECODE:
+-               if (sp == NULL)
+               if (sp == NULL) {
+                        *cpp = sp = mem_alloc(nodesize);
+                       allocated = TRUE;
+               }
+                if (sp == NULL) {
+                        warnx("xdr_string: out of memory");
+                        return (FALSE);
+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
+                /* FALLTHROUGH */
+ 
+        case XDR_ENCODE:
+-               return (xdr_opaque(xdrs, sp, size));
+               ret = xdr_opaque(xdrs, sp, size);
+               if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
+                       if (allocated == TRUE) {
+                               free(sp);
+                               *cpp = NULL;
+                       }
+               }
+               return (ret);
+ 
+        case XDR_FREE:
+                mem_free(sp, nodesize);
+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
+        XDR *xdrs;
+        char **cpp;
+ {
+-       return xdr_string(xdrs, cpp, LASTUNSIGNED);
+       return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+ }
+ 
+ /*
+-- 
+1.9.1
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
index 5518fb3c78..f41d2f3e3d 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2;name=libtirpc \
           file://export_key_secretkey_is_set.patch \
           file://0001-replace-__bzero-with-memset-API.patch \
           file://0001-include-stdint.h-for-uintptr_t.patch \
+           file://0001-Fix-for-CVE-2017-8779.patch \
           "
 SRC_URI_append_libc-uclibc = " file://remove-des-functionality.patch \
author	Fan Xin <fan.xin@jp.fujitsu.com>	2017-06-07 17:29:03 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-06-09 17:12:15 +0100
commit	78568b3a377f7a981fa32162370341556b1c4940 (patch)
tree	5d8273e6f15384360d4904e38be2cc39f151e3e3 /meta/recipes-extended/libtirpc
parent	68e25dfade6bd00b1c7186ffc8aa944e9b1bf28a (diff)
download	poky-78568b3a377f7a981fa32162370341556b1c4940.tar.gz

diff --git a/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch new file mode 100644 index 0000000000..b3bae675ee --- /dev/null +++ b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch
@@ -0,0 +1,276 @@
		1	From dd9c7cf4f8f375c6d641b760d124650c418c2ce3 Mon Sep 17 00:00:00 2001
		2	From: Guido Vranken <guidovranken@gmail.com>
		3	Date: Mon, 15 May 2017 11:12:21 -0400
		4	Subject: [PATCH] Fix for CVE-2017-8779
		5
		6	Signed-off-by: Steve Dickson <steved@redhat.com>
		7	---
		8	src/rpc_generic.c \| 8 ++++++++
		9	src/rpcb_prot.c \| 22 ++++++++++++++--------
		10	src/rpcb_st_xdr.c \| 9 +++++----
		11	src/xdr.c \| 30 +++++++++++++++++++++++++-----
		12	4 files changed, 52 insertions(+), 17 deletions(-)
		13
		14	CVE: CVE-2017-8779
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
		18
		19	diff --git a/src/rpc_generic.c b/src/rpc_generic.c
		20	index 2f09a8f..589cbd5 100644
		21	--- a/src/rpc_generic.c
		22	+++ b/src/rpc_generic.c
		23	@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
		24
		25	switch (af) {
		26	case AF_INET:
		27	+ if (nbuf->len < sizeof(*sin)) {
		28	+ return NULL;
		29	+ }
		30	sin = nbuf->buf;
		31	if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
		32	== NULL)
		33	@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
		34	break;
		35	#ifdef INET6
		36	case AF_INET6:
		37	+ if (nbuf->len < sizeof(*sin6)) {
		38	+ return NULL;
		39	+ }
		40	sin6 = nbuf->buf;
		41	if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
		42	== NULL)
		43	@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
		44
		45	port = 0;
		46	sin = NULL;
		47	+ if (uaddr == NULL)
		48	+ return NULL;
		49	addrstr = strdup(uaddr);
		50	if (addrstr == NULL)
		51	return NULL;
		52	diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
		53	index 43fd385..a923c8e 100644
		54	--- a/src/rpcb_prot.c
		55	+++ b/src/rpcb_prot.c
		56	@@ -41,6 +41,7 @@
		57	#include <rpc/types.h>
		58	#include <rpc/xdr.h>
		59	#include <rpc/rpcb_prot.h>
		60	+#include "rpc_com.h"
		61
		62	bool_t
		63	xdr_rpcb(xdrs, objp)
		64	@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
		65	if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
		66	return (FALSE);
		67	}
		68	- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
		69	+ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
		70	return (FALSE);
		71	}
		72	- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
		73	+ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
		74	return (FALSE);
		75	}
		76	- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
		77	+ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
		78	return (FALSE);
		79	}
		80	return (TRUE);
		81	@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
		82	XDR *xdrs;
		83	rpcb_entry *objp;
		84	{
		85	- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
		86	+ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
		87	return (FALSE);
		88	}
		89	- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
		90	+ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
		91	return (FALSE);
		92	}
		93	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
		94	return (FALSE);
		95	}
		96	- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
		97	+ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
		98	return (FALSE);
		99	}
		100	- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
		101	+ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
		102	return (FALSE);
		103	}
		104	return (TRUE);
		105	@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
		106	bool_t dummy;
		107	struct r_rpcb_rmtcallres objp = (struct r_rpcb_rmtcallres )(void *)p;
		108
		109	- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
		110	+ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
		111	return (FALSE);
		112	}
		113	if (!xdr_u_int(xdrs, &objp->results.results_len)) {
		114	@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
		115	if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
		116	return (FALSE);
		117	}
		118	+
		119	+ if (objp->maxlen > RPC_MAXDATASIZE) {
		120	+ return (FALSE);
		121	+ }
		122	+
		123	dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
		124	(u_int *)&(objp->len), objp->maxlen);
		125	return (dummy);
		126	diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
		127	index 08db745..28e6a48 100644
		128	--- a/src/rpcb_st_xdr.c
		129	+++ b/src/rpcb_st_xdr.c
		130	@@ -37,6 +37,7 @@
		131
		132
		133	#include <rpc/rpc.h>
		134	+#include "rpc_com.h"
		135
		136	/* Link list of all the stats about getport and getaddr */
		137
		138	@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
		139	if (!xdr_int(xdrs, &objp->failure)) {
		140	return (FALSE);
		141	}
		142	- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
		143	+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
		144	return (FALSE);
		145	}
		146
		147	@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
		148	IXDR_PUT_INT32(buf, objp->failure);
		149	IXDR_PUT_INT32(buf, objp->indirect);
		150	}
		151	- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
		152	+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
		153	return (FALSE);
		154	}
		155	if (!xdr_pointer(xdrs, (char **)&objp->next,
		156	@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
		157	objp->failure = (int)IXDR_GET_INT32(buf);
		158	objp->indirect = (int)IXDR_GET_INT32(buf);
		159	}
		160	- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
		161	+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
		162	return (FALSE);
		163	}
		164	if (!xdr_pointer(xdrs, (char **)&objp->next,
		165	@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
		166	if (!xdr_int(xdrs, &objp->indirect)) {
		167	return (FALSE);
		168	}
		169	- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
		170	+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
		171	return (FALSE);
		172	}
		173	if (!xdr_pointer(xdrs, (char **)&objp->next,
		174	diff --git a/src/xdr.c b/src/xdr.c
		175	index f3fb9ad..b9a1558 100644
		176	--- a/src/xdr.c
		177	+++ b/src/xdr.c
		178	@@ -42,8 +42,10 @@
		179	#include <stdlib.h>
		180	#include <string.h>
		181
		182	+#include <rpc/rpc.h>
		183	#include <rpc/types.h>
		184	#include <rpc/xdr.h>
		185	+#include <rpc/rpc_com.h>
		186
		187	typedef quad_t longlong_t; /* ANSI long long type */
		188	typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
		189	@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
		190	*/
		191	#define XDR_FALSE ((long) 0)
		192	#define XDR_TRUE ((long) 1)
		193	-#define LASTUNSIGNED ((u_int) 0-1)
		194
		195	/*
		196	* for unit alignment
		197	@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
		198	{
		199	char sp = cpp; /* sp is the actual string pointer */
		200	u_int nodesize;
		201	+ bool_t ret, allocated = FALSE;
		202
		203	/*
		204	* first deal with the length since xdr bytes are counted
		205	@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
		206	}
		207	if (sp == NULL) {
		208	*cpp = sp = mem_alloc(nodesize);
		209	+ allocated = TRUE;
		210	}
		211	if (sp == NULL) {
		212	warnx("xdr_bytes: out of memory");
		213	@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
		214	/* FALLTHROUGH */
		215
		216	case XDR_ENCODE:
		217	- return (xdr_opaque(xdrs, sp, nodesize));
		218	+ ret = xdr_opaque(xdrs, sp, nodesize);
		219	+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
		220	+ if (allocated == TRUE) {
		221	+ free(sp);
		222	+ *cpp = NULL;
		223	+ }
		224	+ }
		225	+ return (ret);
		226
		227	case XDR_FREE:
		228	if (sp != NULL) {
		229	@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
		230	char sp = cpp; /* sp is the actual string pointer */
		231	u_int size;
		232	u_int nodesize;
		233	+ bool_t ret, allocated = FALSE;
		234
		235	/*
		236	* first deal with the length since xdr strings are counted-strings
		237	@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
		238	switch (xdrs->x_op) {
		239
		240	case XDR_DECODE:
		241	- if (sp == NULL)
		242	+ if (sp == NULL) {
		243	*cpp = sp = mem_alloc(nodesize);
		244	+ allocated = TRUE;
		245	+ }
		246	if (sp == NULL) {
		247	warnx("xdr_string: out of memory");
		248	return (FALSE);
		249	@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
		250	/* FALLTHROUGH */
		251
		252	case XDR_ENCODE:
		253	- return (xdr_opaque(xdrs, sp, size));
		254	+ ret = xdr_opaque(xdrs, sp, size);
		255	+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
		256	+ if (allocated == TRUE) {
		257	+ free(sp);
		258	+ *cpp = NULL;
		259	+ }
		260	+ }
		261	+ return (ret);
		262
		263	case XDR_FREE:
		264	mem_free(sp, nodesize);
		265	@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
		266	XDR *xdrs;
		267	char **cpp;
		268	{
		269	- return xdr_string(xdrs, cpp, LASTUNSIGNED);
		270	+ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
		271	}
		272
		273	/*
		274	--
		275	1.9.1
		276


diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb index 5518fb3c78..f41d2f3e3d 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2;name=libtirpc \
16	file://export_key_secretkey_is_set.patch \	16	file://export_key_secretkey_is_set.patch \
17	file://0001-replace-__bzero-with-memset-API.patch \	17	file://0001-replace-__bzero-with-memset-API.patch \
18	file://0001-include-stdint.h-for-uintptr_t.patch \	18	file://0001-include-stdint.h-for-uintptr_t.patch \
		19	file://0001-Fix-for-CVE-2017-8779.patch \
19	"	20	"
20		21
21	SRC_URI_append_libc-uclibc = " file://remove-des-functionality.patch \	22	SRC_URI_append_libc-uclibc = " file://remove-des-functionality.patch \