45c19bd76e
* don't leak memory * be more picky about bad parameters From: https://raw.githubusercontent.com/guidovranken/rpcbomb/master/libtirpc_patch.txt https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt via NetBSD. Reviewed by: emaste, cem (earlier version) Differential Revision: https://reviews.freebsd.org/D10922 MFC after: 3 days
245 lines
6.7 KiB
C
245 lines
6.7 KiB
C
/* $NetBSD: rpcb_prot.c,v 1.3 2000/07/14 08:40:42 fvdl Exp $ */
|
|
|
|
/*-
|
|
* Copyright (c) 2009, Sun Microsystems, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
* - Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
* - Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
* - Neither the name of Sun Microsystems, Inc. nor the names of its
|
|
* contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
/*
|
|
* Copyright (c) 1986-1991 by Sun Microsystems Inc.
|
|
*/
|
|
|
|
/* #ident "@(#)rpcb_prot.c 1.13 94/04/24 SMI" */
|
|
|
|
#if defined(LIBC_SCCS) && !defined(lint)
|
|
static char sccsid[] = "@(#)rpcb_prot.c 1.9 89/04/21 Copyr 1984 Sun Micro";
|
|
#endif
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
/*
|
|
* rpcb_prot.c
|
|
* XDR routines for the rpcbinder version 3.
|
|
*
|
|
* Copyright (C) 1984, 1988, Sun Microsystems, Inc.
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/malloc.h>
|
|
|
|
#include <rpc/rpc.h>
|
|
#include <rpc/rpc_com.h>
|
|
#include <rpc/rpcb_prot.h>
|
|
|
|
bool_t
|
|
xdr_portmap(XDR *xdrs, struct portmap *regs)
|
|
{
|
|
|
|
if (xdr_u_long(xdrs, ®s->pm_prog) &&
|
|
xdr_u_long(xdrs, ®s->pm_vers) &&
|
|
xdr_u_long(xdrs, ®s->pm_prot))
|
|
return (xdr_u_long(xdrs, ®s->pm_port));
|
|
return (FALSE);
|
|
}
|
|
|
|
bool_t
|
|
xdr_rpcb(XDR *xdrs, RPCB *objp)
|
|
{
|
|
if (!xdr_uint32_t(xdrs, &objp->r_prog)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_uint32_t(xdrs, &objp->r_vers)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
return (TRUE);
|
|
}
|
|
|
|
/*
|
|
* rpcblist_ptr implements a linked list. The RPCL definition from
|
|
* rpcb_prot.x is:
|
|
*
|
|
* struct rpcblist {
|
|
* rpcb rpcb_map;
|
|
* struct rpcblist *rpcb_next;
|
|
* };
|
|
* typedef rpcblist *rpcblist_ptr;
|
|
*
|
|
* Recall that "pointers" in XDR are encoded as a boolean, indicating whether
|
|
* there's any data behind the pointer, followed by the data (if any exists).
|
|
* The boolean can be interpreted as ``more data follows me''; if FALSE then
|
|
* nothing follows the boolean; if TRUE then the boolean is followed by an
|
|
* actual struct rpcb, and another rpcblist_ptr (declared in RPCL as "struct
|
|
* rpcblist *").
|
|
*
|
|
* This could be implemented via the xdr_pointer type, though this would
|
|
* result in one recursive call per element in the list. Rather than do that
|
|
* we can ``unwind'' the recursion into a while loop and use xdr_reference to
|
|
* serialize the rpcb elements.
|
|
*/
|
|
|
|
bool_t
|
|
xdr_rpcblist_ptr(XDR *xdrs, rpcblist_ptr *rp)
|
|
{
|
|
/*
|
|
* more_elements is pre-computed in case the direction is
|
|
* XDR_ENCODE or XDR_FREE. more_elements is overwritten by
|
|
* xdr_bool when the direction is XDR_DECODE.
|
|
*/
|
|
bool_t more_elements;
|
|
int freeing = (xdrs->x_op == XDR_FREE);
|
|
rpcblist_ptr next;
|
|
rpcblist_ptr next_copy;
|
|
|
|
next = NULL;
|
|
for (;;) {
|
|
more_elements = (bool_t)(*rp != NULL);
|
|
if (! xdr_bool(xdrs, &more_elements)) {
|
|
return (FALSE);
|
|
}
|
|
if (! more_elements) {
|
|
return (TRUE); /* we are done */
|
|
}
|
|
/*
|
|
* the unfortunate side effect of non-recursion is that in
|
|
* the case of freeing we must remember the next object
|
|
* before we free the current object ...
|
|
*/
|
|
if (freeing && *rp)
|
|
next = (*rp)->rpcb_next;
|
|
if (! xdr_reference(xdrs, (caddr_t *)rp,
|
|
(u_int)sizeof (RPCBLIST), (xdrproc_t)xdr_rpcb)) {
|
|
return (FALSE);
|
|
}
|
|
if (freeing) {
|
|
next_copy = next;
|
|
rp = &next_copy;
|
|
/*
|
|
* Note that in the subsequent iteration, next_copy
|
|
* gets nulled out by the xdr_reference
|
|
* but next itself survives.
|
|
*/
|
|
} else if (*rp) {
|
|
rp = &((*rp)->rpcb_next);
|
|
}
|
|
}
|
|
/*NOTREACHED*/
|
|
}
|
|
|
|
#if 0
|
|
/*
|
|
* xdr_rpcblist() is specified to take a RPCBLIST **, but is identical in
|
|
* functionality to xdr_rpcblist_ptr().
|
|
*/
|
|
bool_t
|
|
xdr_rpcblist(XDR *xdrs, RPCBLIST **rp)
|
|
{
|
|
bool_t dummy;
|
|
|
|
dummy = xdr_rpcblist_ptr(xdrs, (rpcblist_ptr *)rp);
|
|
return (dummy);
|
|
}
|
|
#endif
|
|
|
|
bool_t
|
|
xdr_rpcb_entry(XDR *xdrs, rpcb_entry *objp)
|
|
{
|
|
if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_uint32_t(xdrs, &objp->r_nc_semantics)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
|
|
return (FALSE);
|
|
}
|
|
return (TRUE);
|
|
}
|
|
|
|
bool_t
|
|
xdr_rpcb_entry_list_ptr(XDR *xdrs, rpcb_entry_list_ptr *rp)
|
|
{
|
|
/*
|
|
* more_elements is pre-computed in case the direction is
|
|
* XDR_ENCODE or XDR_FREE. more_elements is overwritten by
|
|
* xdr_bool when the direction is XDR_DECODE.
|
|
*/
|
|
bool_t more_elements;
|
|
int freeing = (xdrs->x_op == XDR_FREE);
|
|
rpcb_entry_list_ptr next;
|
|
rpcb_entry_list_ptr next_copy;
|
|
|
|
next = NULL;
|
|
for (;;) {
|
|
more_elements = (bool_t)(*rp != NULL);
|
|
if (! xdr_bool(xdrs, &more_elements)) {
|
|
return (FALSE);
|
|
}
|
|
if (! more_elements) {
|
|
return (TRUE); /* we are done */
|
|
}
|
|
/*
|
|
* the unfortunate side effect of non-recursion is that in
|
|
* the case of freeing we must remember the next object
|
|
* before we free the current object ...
|
|
*/
|
|
if (freeing)
|
|
next = (*rp)->rpcb_entry_next;
|
|
if (! xdr_reference(xdrs, (caddr_t *)rp,
|
|
(u_int)sizeof (rpcb_entry_list),
|
|
(xdrproc_t)xdr_rpcb_entry)) {
|
|
return (FALSE);
|
|
}
|
|
if (freeing && *rp) {
|
|
next_copy = next;
|
|
rp = &next_copy;
|
|
/*
|
|
* Note that in the subsequent iteration, next_copy
|
|
* gets nulled out by the xdr_reference
|
|
* but next itself survives.
|
|
*/
|
|
} else if (*rp) {
|
|
rp = &((*rp)->rpcb_entry_next);
|
|
}
|
|
}
|
|
/*NOTREACHED*/
|
|
}
|