freebsd security - Sep 2015 - FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind

On Sep 30, 2015, at 3:54 PM, Xin Li <delphij at delphij.net>
wrote:
> 
> Can you make this change and see if it helps?
> 
> Index: rpcb_svc_com.c
> ==================================================================> ---
rpcb_svc_com.c	(revision 288421)
> +++ rpcb_svc_com.c	(working copy)
> @@ -1052,7 +1052,7 @@ static bool_t
> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
> {
> 
> -	assert(dst->buf == NULL);
> +	assert(dst->len == 0 || dst->buf == NULL);
?


Same result:


Assertion failed: (dst->len == 0 || dst->buf == NULL), function
netbuf_copybuf, file rpcb_svc_com.c, line 1056.



#0  0x0000000800d0164a in thr_kill () from /lib/libc.so.7
(gdb) bt
#0  0x0000000800d0164a in thr_kill () from /lib/libc.so.7
#1  0x0000000800d01636 in raise () from /lib/libc.so.7
#2  0x0000000800d015b9 in abort () from /lib/libc.so.7
#3  0x0000000800d67f31 in __assert () from /lib/libc.so.7
#4  0x00000000004073aa in ?? ()
#5  0x0000000000404075 in ?? ()
#6  0x000000000040303f in ?? ()
#7  0x000000080062a000 in ?? ()
#8  0x0000000000000000 in ?? ()

--
Robert
inoc.net!rblayzor
Jabber: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu

On 09/30/15 13:03, Robert Blayzor wrote:
> On Sep 30, 2015, at 3:54 PM, Xin Li <delphij at delphij.net> wrote:
>>
>> Can you make this change and see if it helps?
>>
>> Index: rpcb_svc_com.c
>>
==================================================================>> ---
rpcb_svc_com.c	(revision 288421)
>> +++ rpcb_svc_com.c	(working copy)
>> @@ -1052,7 +1052,7 @@ static bool_t
>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
>> {
>>
>> -	assert(dst->buf == NULL);
>> +	assert(dst->len == 0 || dst->buf == NULL);
> ?
> 
> 
> Same result:
> 
> 
> Assertion failed: (dst->len == 0 || dst->buf == NULL), function
netbuf_copybuf, file rpcb_svc_com.c, line 1056.
Hmm  this suggests there were either a use-after-free or a memory leak
with existing code.  I will need some time to further investigate this.

In the meantime, please comment out the assertion (which turns the crash
back into memory leak in the worst case).

Cheers,
-- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150930/40a5bc84/attachment.bin>