git: 92606b55b47c - main - net-mgmt/wmi-client: backport three fixes to nbtsocket.c from upstream to address some known issues with the port, namely:

Alexey Dokuchaev danfe at FreeBSD.org
Thu Apr 29 10:50:35 UTC 2021 

The branch main has been updated by danfe:

URL: https://cgit.FreeBSD.org/ports/commit/?id=92606b55b47cb4b6ad025638171123a4c0193565

commit 92606b55b47cb4b6ad025638171123a4c0193565
Author:     Alexey Dokuchaev <danfe at FreeBSD.org>
AuthorDate: 2021-04-29 10:48:02 +0000
Commit:     Alexey Dokuchaev <danfe at FreeBSD.org>
CommitDate: 2021-04-29 10:48:06 +0000

    net-mgmt/wmi-client: backport three fixes to nbtsocket.c from upstream
    to address some known issues with the port, namely:
    
      - Prevent segmentation fault in certain scenarios
      - Fix busy loop on empty UDP packet (CVE-2020-14303)
      - Plug memory leak in nbt_name_request_destructor()
    
    While here, remove needless .include <bsd.port.options.mk> and vocalize
    the installation command.
    
    Commits:        ebab6d6, 3cc0f1e
    Obtained from:  https://git.samba.org/?p=samba.git;a=history;f=libcli/nbt/nbtsocket.c
    PR:             237038
---
 net-mgmt/wmi-client/Makefile                       |  6 +-
 .../patch-Samba_source_libcli_nbt_nbtsocket.c      | 82 ++++++++++++++++++++++
 2 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/wmi-client/Makefile b/net-mgmt/wmi-client/Makefile
index ea482fa4d359..2e8bca37b793 100644
--- a/net-mgmt/wmi-client/Makefile
+++ b/net-mgmt/wmi-client/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	wmi
 PORTVERSION=	1.3.16
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	net-mgmt
 MASTER_SITES=	http://dev.zenoss.org/trac/export/26435/trunk/inst/externallibs/ \
 		http://www.openvas.org/download/wmi/ \
@@ -21,11 +21,9 @@ ALL_TARGET=	build
 
 PROGS=	bin/wmic bin/winexe
 
-.include <bsd.port.options.mk>
-
 do-install:
 .for x in ${PROGS}
-	@${INSTALL_PROGRAM} ${WRKSRC}/Samba/source/${x} ${STAGEDIR}${PREFIX}/${x}
+	${INSTALL_PROGRAM} ${WRKSRC}/Samba/source/${x} ${STAGEDIR}${PREFIX}/${x}
 .endfor
 
 .include <bsd.port.mk>
diff --git a/net-mgmt/wmi-client/files/patch-Samba_source_libcli_nbt_nbtsocket.c b/net-mgmt/wmi-client/files/patch-Samba_source_libcli_nbt_nbtsocket.c
new file mode 100644
index 000000000000..524e57a2c437
--- /dev/null
+++ b/net-mgmt/wmi-client/files/patch-Samba_source_libcli_nbt_nbtsocket.c
@@ -0,0 +1,82 @@
+--- Samba/source/libcli/nbt/nbtsocket.c.orig	2011-11-22 22:40:25 UTC
++++ Samba/source/libcli/nbt/nbtsocket.c
+@@ -45,6 +45,7 @@ static int nbt_name_request_destructor(struct nbt_name
+ 		req->name_trn_id = 0;
+ 	}
+ 	if (req->te) {
++		talloc_free(req->te);
+ 		req->te = NULL;
+ 	}
+ 	if (req->nbtsock->send_queue == NULL) {
+@@ -168,8 +169,23 @@ static void nbt_name_socket_recv(struct nbt_name_socke
+ 		return;
+ 	}
+ 
++	/*
++	 * Given a zero length, data_blob_talloc() returns the
++	 * NULL blob {NULL, 0}.
++	 *
++	 * We only want to error return here on a real out of memory condition
++	 * (i.e. dsize != 0, so the UDP packet has data, but the return of the
++	 * allocation failed, so blob.data==NULL).
++	 *
++	 * Given an actual zero length UDP packet having blob.data == NULL
++	 * isn't an out of memory error condition, that's the defined semantics
++	 * of data_blob_talloc() when asked for zero bytes.
++	 *
++	 * We still need to continue to do the zero-length socket_recvfrom()
++	 * read in order to clear the "read pending" condition on the socket.
++	 */
+ 	blob = data_blob_talloc(tmp_ctx, NULL, dsize);
+-	if (blob.data == NULL) {
++	if (blob.data == NULL && dsize != 0) {
+ 		talloc_free(tmp_ctx);
+ 		return;
+ 	}
+@@ -226,6 +242,16 @@ static void nbt_name_socket_recv(struct nbt_name_socke
+ 		return;
+ 	}
+ 
++	talloc_steal(req, packet);
++	talloc_steal(req, src);
++	talloc_free(tmp_ctx);
++	nbt_name_socket_handle_response_packet(req, packet, src);
++}
++
++void nbt_name_socket_handle_response_packet(struct nbt_name_request *req,
++					    struct nbt_name_packet *packet,
++					    struct socket_address *src)
++{
+ 	/* if this is a WACK response, this we need to go back to waiting,
+ 	   but perhaps increase the timeout */
+ 	if ((packet->operation & NBT_OPCODE) == NBT_OPCODE_WACK) {
+@@ -246,7 +272,6 @@ static void nbt_name_socket_recv(struct nbt_name_socke
+ 		req->te = event_add_timed(req->nbtsock->event_ctx, req, 
+ 					  timeval_current_ofs(req->timeout, 0),
+ 					  nbt_name_socket_timeout, req);
+-		talloc_free(tmp_ctx);
+ 		return;
+ 	}
+ 	
+@@ -268,7 +293,6 @@ static void nbt_name_socket_recv(struct nbt_name_socke
+ 	/* if we don't want multiple replies then we are done */
+ 	if (req->allow_multiple_replies &&
+ 	    req->num_replies < NBT_MAX_REPLIES) {
+-		talloc_free(tmp_ctx);
+ 		return;
+ 	}
+ 
+@@ -278,13 +302,11 @@ static void nbt_name_socket_recv(struct nbt_name_socke
+ 
+ done:
+     if (DEBUGLVL(9)) {
+-        talloc_report(tmp_ctx, stdout);
+         talloc_report(req, stdout);
+     }
+ 	if (req->async.fn) {
+ 		req->async.fn(req);
+ 	}
+-	talloc_free(tmp_ctx);
+ }
+ 
+ /*

More information about the dev-commits-ports-all mailing list