Set reasonable limits for xdr_requests.

[BZ #15553] Increased the current limits large enough to load large key and data values, but small enough to not pose a DoS threat.
2024-11-08 14:20:07 +00:00 · 2013-05-30 17:05:21 -04:00 · 2013-05-30 17:05:21 -04:00 · eca5920cd9
commit eca5920cd9
parent 96945714ec
3 changed files with 26 additions and 7 deletions
--- a/13
+++ b/13
@ -1,4 +1,15 @@
-2012-05-30  Jeff Law  <law@redhat.com>
+2013-05-30  Patsy Franklin  <pfrankli@redhat.com>
+
+	[BZ # 15553]
+	* nis/yp_xdr.c (XDRMAXNAME): Define.
+	(XDRMAXRECORD): Define.
+	(xdr_domainname): Use XDRMAXNAME.
+	(xdr_mapname): Likewise.
+	(xdr_peername): Likewise.
+	(xdr_keydat): Use XDRMAXRECORD.
+	(xdr_valdat): Likewise.
+
+2013-05-30  Jeff Law  <law@redhat.com>

 	[BZ #14256]
 	* manual/errno.texi (ESTALE): Update to account for more than
--- a/2
+++ b/2
@ -19,7 +19,7 @@ Version 2.18
  15337, 15339, 15342, 15346, 15359, 15361, 15366, 15380, 15381, 15394,
  15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426,
  15429, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490, 15493,
-  15497, 15506, 15529.
+  15497, 15506, 15529, 15553.

 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
  #15078).
--- a/nis/yp_xdr.c
+++ b/nis/yp_xdr.c
@ -32,6 +32,14 @@
 #include <rpcsvc/yp.h>
 #include <rpcsvc/ypclnt.h>

+/* The NIS v2 protocol suggests 1024 bytes as a maximum length of all fields.
+   Current Linux systems don't use this limit. To remain compatible with
+   recent Linux systems we choose limits large enough to load large key and
+   data values, but small enough to not pose a DoS threat. */
+
+#define XDRMAXNAME 1024
+#define XDRMAXRECORD (16 * 1024 * 1024)
+
 bool_t
 xdr_ypstat (XDR *xdrs, ypstat *objp)
 {
@ -49,21 +57,21 @@ libnsl_hidden_def (xdr_ypxfrstat)
 bool_t
 xdr_domainname (XDR *xdrs, domainname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXDOMAIN);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_domainname)

 bool_t
 xdr_mapname (XDR *xdrs, mapname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXMAP);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_mapname)

 bool_t
 xdr_peername (XDR *xdrs, peername *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXPEER);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_peername)

@ -71,7 +79,7 @@ bool_t
 xdr_keydat (XDR *xdrs, keydat *objp)
 {
  return xdr_bytes (xdrs, (char **) &objp->keydat_val,
-		    (u_int *) &objp->keydat_len, YPMAXRECORD);
+		    (u_int *) &objp->keydat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_keydat)

@ -79,7 +87,7 @@ bool_t
 xdr_valdat (XDR *xdrs, valdat *objp)
 {
  return xdr_bytes (xdrs, (char **) &objp->valdat_val,
-		    (u_int *) &objp->valdat_len, YPMAXRECORD);
+		    (u_int *) &objp->valdat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_valdat)