From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] rpcbind: fix attempt to free non-dynamic memory
Date: Wed, 17 Jan 2018 14:13:18 +0100 [thread overview]
Message-ID: <20180117141318.7d337f52@windsurf> (raw)
In-Reply-To: <20180117100858.30401-1-ed.blake@sondrel.com>
Hello,
On Wed, 17 Jan 2018 10:08:58 +0000, Ed Blake wrote:
> Commit 954509f added a security fix for CVE-2017-8779, involving
> pairing all svc_getargs() calls with svc_freeargs() to avoid a memory
> leak. This included adding a call to svc_freeargs() to
> rpcbproc_callit_com().
>
> However, rpcbproc_callit_com() allocates memory for args.rmt_args.args
> itself, either dynamically (sendsz > RPC_BUF_MAX) or else on the stack,
> rather than having the memory allocated in svc_getargs().
>
> The call to svc_freeargs() results in an attempt to free the memory
> allocated by rpcbproc_callit_com(), which if on the stack results in
> undefined behaviour.
>
> Fix this by removing the svc_freeargs() call, which is not required as
> rpcbproc_callit_com() allocates (and correctly frees) memory itself.
>
> Change-Id: I7fc34efd58408ec5e626da8edd08aa697ed8b936
> Signed-off-by: Ed Blake <ed.blake@sondrel.com>
Thanks. Is this fix-for-the-fix in the upstream rpcbind project ? If
not, did you submit it ?
I think we'd prefer to keep the existing
0004-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
unchanged, so that it matches the upstream commit, and add an
additional patch that fixes the commit. Just to be inline with what
upstream has.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
next prev parent reply other threads:[~2018-01-17 13:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-17 10:08 [Buildroot] [PATCH] rpcbind: fix attempt to free non-dynamic memory Ed Blake
2018-01-17 13:13 ` Thomas Petazzoni [this message]
2018-01-18 12:04 ` Ed Blake
2018-01-18 13:04 ` Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180117141318.7d337f52@windsurf \
--to=thomas.petazzoni@free-electrons.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox