]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b95523e) | patch
The Sun RPC framework uses a netbuf structure to represent the
authorXin LI <delphij@FreeBSD.org>
Tue, 29 Sep 2015 18:05:54 +0000 (18:05 +0000)
committerXin LI <delphij@FreeBSD.org>
Tue, 29 Sep 2015 18:05:54 +0000 (18:05 +0000)
commit066c492a77015b0e8236d3d2cdfc733024e2e6c3
treeb831f6c330d314ce26da5f70adecb1dc161788b9tree | snapshot
parentb95523e859168243d427ca8b886a88f79090ddc8commit | diff
The Sun RPC framework uses a netbuf structure to represent the
transport specific form of a universal transport address.  The
structure is expected to be opaque to consumers.  In the current
implementation, the structure contains a pointer to a buffer
that holds the actual address.

In rpcbind(8), netbuf structures are copied directly, which would
result in two netbuf structures that reference to one shared
address buffer.  When one of the two netbuf structures is freed,
access to the other netbuf structure would result in an undefined
result that may crash the rpcbind(8) daemon.

Fix this by making a copy of the buffer that is going to be freed
instead of doing a shallow copy.

Security: FreeBSD-SA-15:24.rpcbind
Security: CVE-2015-7236
usr.sbin/rpcbind/rpcb_svc_com.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.