blob: e61be9e2652d1a841f64ae60d6b1435ec55fd343 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From a9f437119d79a438cb12e510f3cadd4060102c9f Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 18 Apr 2013 14:29:58 -0400
Subject: [PATCH] svc_getargs(): Should not be freeing arg pointers on failures
commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
that causes callers of svc_getargs() to crash when svc_freeargs() frees
args points that are allocated on the stack.
svc_getargs() should let the callers do the freeing and not make any
assumptions on the type of memory passed in.
Also see:
https://bugzilla.redhat.com/show_bug.cgi?id=948378
and
CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/svc_dg.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/svc_dg.c b/src/svc_dg.c
index b1ac462..6e00191 100644
--- a/src/svc_dg.c
+++ b/src/svc_dg.c
@@ -284,7 +284,6 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
{
if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
xdr_args, args_ptr)) {
- (void)svc_freeargs(xprt, xdr_args, args_ptr);
return FALSE;
}
return TRUE;
--
1.8.1.4
|
