FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind
Xin Li
delphij at delphij.net
Wed Sep 30 22:04:45 UTC 2015
On 09/30/15 13:13, Xin Li wrote:
> On 09/30/15 13:03, Robert Blayzor wrote:
>> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij at delphij.net> wrote:
>>>
>>> Can you make this change and see if it helps?
>>>
>>> Index: rpcb_svc_com.c
>>> ===================================================================
>>> --- rpcb_svc_com.c (revision 288421)
>>> +++ rpcb_svc_com.c (working copy)
>>> @@ -1052,7 +1052,7 @@ static bool_t
>>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
>>> {
>>>
>>> - assert(dst->buf == NULL);
>>> + assert(dst->len == 0 || dst->buf == NULL);
>> …
>>
>>
>> Same result:
>>
>>
>> Assertion failed: (dst->len == 0 || dst->buf == NULL), function netbuf_copybuf, file rpcb_svc_com.c, line 1056.
>
> Hmm this suggests there were either a use-after-free or a memory leak
> with existing code. I will need some time to further investigate this.
>
> In the meantime, please comment out the assertion (which turns the crash
> back into memory leak in the worst case).
Please try the attached patch, which will reallocate buffer only when
the passed in netbuf is of a different size.
Cheers,
--
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpcbind.diff
Type: text/x-patch
Size: 713 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/c2c3466c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/c2c3466c/attachment-0001.bin>
More information about the freebsd-security
mailing list