git: 5299d64b2b9f - main - libc: fix buffer overrun in getrpcport(3)

Edward Tomasz Napierala trasz at freebsd.org
Mon Feb 1 17:26:12 UTC 2021 

On 0131T1655, Shawn Webb wrote:
> On Sun, Jan 31, 2021 at 09:43:41PM +0000, Edward Tomasz Napierala wrote:
> > The branch main has been updated by trasz:
> > 
> > URL: https://cgit.FreeBSD.org/src/commit/?id=5299d64b2b9f7a25e423ef1785d9402a0ef198d3
> > 
> > commit 5299d64b2b9f7a25e423ef1785d9402a0ef198d3
> > Author:     Edward Tomasz Napierala <trasz at FreeBSD.org>
> > AuthorDate: 2021-01-31 21:41:55 +0000
> > Commit:     Edward Tomasz Napierala <trasz at FreeBSD.org>
> > CommitDate: 2021-01-31 21:42:02 +0000
> > 
> >     libc: fix buffer overrun in getrpcport(3)
> >     
> >     Reviewed By:    markj
> >     Sponsored by:   NetApp, Inc.
> >     Sponsored by:   Klara, Inc.
> >     Differential Revision: https://reviews.freebsd.org/D27332
> > ---
> >  lib/libc/rpc/getrpcport.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/lib/libc/rpc/getrpcport.c b/lib/libc/rpc/getrpcport.c
> > index 2b2d459c8887..4abc9a0c16af 100644
> > --- a/lib/libc/rpc/getrpcport.c
> > +++ b/lib/libc/rpc/getrpcport.c
> > @@ -62,14 +62,14 @@ getrpcport(char *host, int prognum, int versnum, int proto)
> >  
> >  	assert(host != NULL);
> >  
> > -	if ((hp = gethostbyname(host)) == NULL)
> > +	if ((hp = gethostbyname2(host, AF_INET)) == NULL)
> >  		return (0);
> >  	memset(&addr, 0, sizeof(addr));
> >  	addr.sin_len = sizeof(struct sockaddr_in);
> >  	addr.sin_family = AF_INET;
> >  	addr.sin_port =  0;
> > -	if (hp->h_length > addr.sin_len)
> > -		hp->h_length = addr.sin_len;
> > +	if (hp->h_length > sizeof(addr.sin_addr.s_addr))
> > +		hp->h_length = sizeof(addr.sin_addr.s_addr);
> >  	memcpy(&addr.sin_addr.s_addr, hp->h_addr, (size_t)hp->h_length);
> >  	/* Inconsistent interfaces need casts! :-( */
> >  	return (pmap_getport(&addr, (u_long)prognum, (u_long)versnum, 
> 
> Does a fix like this need to get a security advisory report? Also, any
> plans to MFC?

Sorry, I should have used a better commit message...   I don't think
this is exploitable, or even triggerable - from my understanding, the
gethostbyname(3) function cannot return non-AF_INET address, unless
some internal resolver option has been set, which none of the programs
using getrpcport(3) seems to do.

More information about the dev-commits-src-all mailing list