Subject: amd vulnerability: patch for 1.3.3
To: None <tech-security@netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 09/27/1999 21:45:55
by redmail.netbsd.org with SMTP; 27 Sep 1999 19:46:03 -0000
by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id VAA25875
for <tech-security@netbsd.org>; Mon, 27 Sep 1999 21:46:01 +0200 (MEST)
Date: Mon, 27 Sep 1999 21:45:55 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: tech-security@netbsd.org
Subject: amd vulnerability: patch for 1.3.3
Message-ID: <19990927214555.A5426@antioche.lip6.fr>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=C7zPtVaVf+AK4Oqc
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Hi,
appened is a patch for amd for 1.3.3, which should solve the buffer overflow
problem reported on bugtraq. I'm running with this patch on i386 and sparc.
FYI, this has been fixed in -current and -release (but 1.4.1 *is* vulnerable).
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
--
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="amd.diff"
Index: amd/amq_subr.c
===================================================================
RCS file: /archive/cvs/cvsroot/NetBSD/src/usr.sbin/amd/amd/amq_subr.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- amq_subr.c 1997/12/15 16:57:40 1.1.1.1
+++ amq_subr.c 1999/09/27 14:01:35 1.2
@@ -187,7 +187,7 @@
return(0); /* assume security is therefore not OK */
}
- if (ntohs(sin->sin_port) >= 1024 ||
+ if (ntohs(sin->sin_port) >= IPPORT_RESERVED ||
!(sin->sin_addr.s_addr == htonl(0x7f000001) ||
sin->sin_addr.s_addr == myipaddr.s_addr)) {
char dq[20];
@@ -204,11 +204,24 @@
int *
amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
{
- static int rc;
- char *s = *(amq_string *) argp;
+ static int rc = EINVAL;
+ char s[AMQ_STRLEN];
char *cp;
+ char dq[20];
+ struct sockaddr_in *sin;
- plog(XLOG_INFO, "amq requested mount of %s", s);
+ if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) {
+ plog(XLOG_ERROR, "amu_svc_getcaller returned NULL");
+ return &rc;
+ }
+
+ strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1);
+ s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */
+ plog(XLOG_ERROR,
+ "amq requested mount of %s from %s.%d",
+ s, inet_dquad(dq, sin->sin_addr.s_addr),
+ ntohs(sin->sin_port));
+
/*
* Minimalist security check.
*/
@@ -239,22 +252,8 @@
if (rc < 0)
return 0;
return &rc;
-}
-
-#else /* not ENABLE_AMQ_MOUNT */
-
-int *
-amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
-{
- static int rc;
- char *s = *(amq_string *) argp;
-
- plog(XLOG_ERROR, "amq requested mount of %s, but code is disabled", s);
-
- rc = EINVAL;
- return &rc;
}
-#endif /* not ENABLE_AMQ_MOUNT */
+#endif /* ENABLE_AMQ_MOUNT */
amq_string *
Index: amd/amq_svc.c
===================================================================
RCS file: /archive/cvs/cvsroot/NetBSD/src/usr.sbin/amd/amd/amq_svc.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- amq_svc.c 1997/12/15 16:57:40 1.1.1.1
+++ amq_svc.c 1999/09/27 14:01:36 1.2
@@ -59,7 +59,9 @@
amq_string amqproc_mnttree_1_arg;
amq_string amqproc_umnt_1_arg;
amq_setopt amqproc_setopt_1_arg;
+#ifdef ENABLE_AMQ_MOUNT
amq_string amqproc_mount_1_arg;
+#endif /* ENABLE_AMQ_MOUNT */
} argument;
char *result;
xdrproc_t xdr_argument, xdr_result;
@@ -109,11 +111,13 @@
local = (amqsvcproc_t) amqproc_getmntfs_1_svc;
break;
+#ifdef ENABLE_AMQ_MOUNT
case AMQPROC_MOUNT:
xdr_argument = (xdrproc_t) xdr_amq_string;
xdr_result = (xdrproc_t) xdr_int;
local = (amqsvcproc_t) amqproc_mount_1_svc;
break;
+#endif /* ENABLE_AMQ_MOUNT */
case AMQPROC_GETVERS:
xdr_argument = (xdrproc_t) xdr_void;
Index: amd/nfs_prot_svc.c
===================================================================
RCS file: /archive/cvs/cvsroot/NetBSD/src/usr.sbin/amd/amd/nfs_prot_svc.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 nfs_prot_svc.c
--- nfs_prot_svc.c 1997/12/15 16:57:40 1.1.1.1
+++ nfs_prot_svc.c 1999/09/27 14:25:48
@@ -98,6 +98,18 @@
char *result;
xdrproc_t xdr_argument, xdr_result;
nfssvcproc_t local;
+ struct sockaddr_in *sinp;
+ char dq[20], dq2[28];
+
+ sinp = amu_svc_getcaller(rqstp->rq_xprt);
+ /* if the address does not match, ignore the request */
+ if (sinp->sin_addr.s_addr && sinp->sin_addr.s_addr != myipaddr.s_addr) {
+ plog(XLOG_WARNING, "ignoring request from %s:%u, expected %s",
+ inet_dquad(dq, sinp->sin_addr.s_addr),
+ ntohs(sinp->sin_port),
+ inet_dquad(dq2, myipaddr.s_addr));
+ return;
+ }
nfs_program_2_transp = NULL;
Index: amq/amq.c
===================================================================
RCS file: /archive/cvs/cvsroot/NetBSD/src/usr.sbin/amd/amq/amq.c,v
retrieving revision 1.1.1.1
retrieving revision 1.3
diff -u -r1.1.1.1 -r1.3
--- amq.c 1997/12/15 16:57:40 1.1.1.1
+++ amq.c 1999/09/27 14:01:40 1.3
@@ -329,7 +329,11 @@
/*
* Parse arguments
*/
+#ifdef ENABLE_AMQ_MOUNT
while ((opt_ch = getopt(argc, argv, "fh:l:msuvx:D:M:pP:")) != -1)
+#else
+ while ((opt_ch = getopt(argc, argv, "fh:l:msuvx:D:pP:")) != -1)
+#endif
switch (opt_ch) {
case 'f':
flush_flag = 1;
@@ -380,10 +384,12 @@
nodefault = 1;
break;
+#ifdef ENABLE_AMQ_MOUNT
case 'M':
mount_map = optarg;
nodefault = 1;
break;
+#endif /* ENABLE_AMQ_MOUNT */
case 'P':
amd_program_number = atoi(optarg);
@@ -402,8 +408,14 @@
show_usage:
fprintf(stderr, "\
Usage: %s [-h host] [[-f] [-m] [-p] [-v] [-s]] | [[-u] directory ...]]\n\
-\t[-l logfile|\"syslog\"] [-x log_flags] [-D dbg_opts] [-M mapent]\n\
-\t[-P prognum]\n", progname);
+\t[-l logfile|\"syslog\"] [-x log_flags] [-D dbg_opts]%s\n\
+\t[-P prognum]\n", progname,
+#ifdef ENABLE_AMQ_MOUNT
+ " [-M mapent]"
+#else /* not ENABLE_AMQ_MOUNT */
+ ""
+#endif
+ );
exit(1);
}
#if defined(HAVE_CLUSTER_H) && defined(HAVE_CNODEID) && defined(HAVE_GETCCENT)
--C7zPtVaVf+AK4Oqc--