about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPatsy Franklin <pfrankli@redhat.com>2013-05-30 17:05:21 -0400
committerPatsy Franklin <pfrankli@redhat.com>2013-05-30 22:01:22 -0400
commiteca5920cd90093d8921f27bfbf7bcf54807165bb (patch)
treea9b9f4ac329cd52b71759090062a74f6092291f8
parent96945714ec61951cc748da2b4b8a80cf02127ee9 (diff)
downloadglibc-eca5920cd90093d8921f27bfbf7bcf54807165bb.tar.gz
glibc-eca5920cd90093d8921f27bfbf7bcf54807165bb.tar.xz
glibc-eca5920cd90093d8921f27bfbf7bcf54807165bb.zip
Set reasonable limits for xdr_requests.
[BZ #15553] Increased the current limits large enough to load large
key and data values, but small enough to not pose a DoS threat.
-rw-r--r--ChangeLog13
-rw-r--r--NEWS2
-rw-r--r--nis/yp_xdr.c18
3 files changed, 26 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 89b7bce7ee..9134d18f50 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
-2012-05-30  Jeff Law  <law@redhat.com>
+2013-05-30  Patsy Franklin  <pfrankli@redhat.com>
+
+	[BZ # 15553]
+	* nis/yp_xdr.c (XDRMAXNAME): Define.
+	(XDRMAXRECORD): Define.
+	(xdr_domainname): Use XDRMAXNAME.
+	(xdr_mapname): Likewise.
+	(xdr_peername): Likewise.
+	(xdr_keydat): Use XDRMAXRECORD.
+	(xdr_valdat): Likewise.
+
+2013-05-30  Jeff Law  <law@redhat.com>
 
 	[BZ #14256]
 	* manual/errno.texi (ESTALE): Update to account for more than
diff --git a/NEWS b/NEWS
index a66a9d7e9f..acfc19c1bd 100644
--- a/NEWS
+++ b/NEWS
@@ -19,7 +19,7 @@ Version 2.18
   15337, 15339, 15342, 15346, 15359, 15361, 15366, 15380, 15381, 15394,
   15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426,
   15429, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490, 15493,
-  15497, 15506, 15529.
+  15497, 15506, 15529, 15553.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).
diff --git a/nis/yp_xdr.c b/nis/yp_xdr.c
index 418850643d..34566d19a8 100644
--- a/nis/yp_xdr.c
+++ b/nis/yp_xdr.c
@@ -32,6 +32,14 @@
 #include <rpcsvc/yp.h>
 #include <rpcsvc/ypclnt.h>
 
+/* The NIS v2 protocol suggests 1024 bytes as a maximum length of all fields.
+   Current Linux systems don't use this limit. To remain compatible with
+   recent Linux systems we choose limits large enough to load large key and
+   data values, but small enough to not pose a DoS threat. */
+
+#define XDRMAXNAME 1024
+#define XDRMAXRECORD (16 * 1024 * 1024)
+
 bool_t
 xdr_ypstat (XDR *xdrs, ypstat *objp)
 {
@@ -49,21 +57,21 @@ libnsl_hidden_def (xdr_ypxfrstat)
 bool_t
 xdr_domainname (XDR *xdrs, domainname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXDOMAIN);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_domainname)
 
 bool_t
 xdr_mapname (XDR *xdrs, mapname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXMAP);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_mapname)
 
 bool_t
 xdr_peername (XDR *xdrs, peername *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXPEER);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_peername)
 
@@ -71,7 +79,7 @@ bool_t
 xdr_keydat (XDR *xdrs, keydat *objp)
 {
   return xdr_bytes (xdrs, (char **) &objp->keydat_val,
-		    (u_int *) &objp->keydat_len, YPMAXRECORD);
+		    (u_int *) &objp->keydat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_keydat)
 
@@ -79,7 +87,7 @@ bool_t
 xdr_valdat (XDR *xdrs, valdat *objp)
 {
   return xdr_bytes (xdrs, (char **) &objp->valdat_val,
-		    (u_int *) &objp->valdat_len, YPMAXRECORD);
+		    (u_int *) &objp->valdat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_valdat)