[LIBTIRPC] Fix CVE-2017-8779 by backporting its fix
[reactos.git] / dll / 3rdparty / libtirpc / src / rpcb_prot.c
1
2 /*
3 * Copyright (c) 2009, Sun Microsystems, Inc.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 * - Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * - Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * - Neither the name of Sun Microsystems, Inc. nor the names of its
14 * contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
21 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29 /*
30 * Copyright (c) 1986-1991 by Sun Microsystems Inc.
31 */
32
33 /*
34 * rpcb_prot.c
35 * XDR routines for the rpcbinder version 3.
36 *
37 * Copyright (C) 1984, 1988, Sun Microsystems, Inc.
38 */
39
40 #include <wintirpc.h>
41 #include <rpc/rpc.h>
42 #include <rpc/types.h>
43 #include <rpc/xdr.h>
44 #include <rpc/rpcb_prot.h>
45 #ifdef __REACTOS__ // CVE-2017-8779
46 #include "rpc_com.h"
47 #endif
48
49 bool_t
50 xdr_rpcb(xdrs, objp)
51 XDR *xdrs;
52 RPCB *objp;
53 {
54 if (!xdr_u_int32_t(xdrs, &objp->r_prog)) {
55 return (FALSE);
56 }
57 if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
58 return (FALSE);
59 }
60 #ifndef __REACTOS__ // CVE-2017-8779
61 if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
62 return (FALSE);
63 }
64 if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
65 return (FALSE);
66 }
67 if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
68 return (FALSE);
69 }
70 #else
71 if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
72 return (FALSE);
73 }
74 if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
75 return (FALSE);
76 }
77 if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
78 return (FALSE);
79 }
80 #endif
81 return (TRUE);
82 }
83
84 /*
85 * rpcblist_ptr implements a linked list. The RPCL definition from
86 * rpcb_prot.x is:
87 *
88 * struct rpcblist {
89 * rpcb rpcb_map;
90 * struct rpcblist *rpcb_next;
91 * };
92 * typedef rpcblist *rpcblist_ptr;
93 *
94 * Recall that "pointers" in XDR are encoded as a boolean, indicating whether
95 * there's any data behind the pointer, followed by the data (if any exists).
96 * The boolean can be interpreted as ``more data follows me''; if FALSE then
97 * nothing follows the boolean; if TRUE then the boolean is followed by an
98 * actual struct rpcb, and another rpcblist_ptr (declared in RPCL as "struct
99 * rpcblist *").
100 *
101 * This could be implemented via the xdr_pointer type, though this would
102 * result in one recursive call per element in the list. Rather than do that
103 * we can ``unwind'' the recursion into a while loop and use xdr_reference to
104 * serialize the rpcb elements.
105 */
106
107 bool_t
108 xdr_rpcblist_ptr(xdrs, rp)
109 XDR *xdrs;
110 rpcblist_ptr *rp;
111 {
112 /*
113 * more_elements is pre-computed in case the direction is
114 * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
115 * xdr_bool when the direction is XDR_DECODE.
116 */
117 bool_t more_elements;
118 int freeing = (xdrs->x_op == XDR_FREE);
119 rpcblist_ptr next;
120 rpcblist_ptr next_copy;
121
122 next = NULL;
123 for (;;) {
124 more_elements = (bool_t)(*rp != NULL);
125 if (! xdr_bool(xdrs, &more_elements)) {
126 return (FALSE);
127 }
128 if (! more_elements) {
129 return (TRUE); /* we are done */
130 }
131 /*
132 * the unfortunate side effect of non-recursion is that in
133 * the case of freeing we must remember the next object
134 * before we free the current object ...
135 */
136 if (freeing)
137 next = (*rp)->rpcb_next;
138 if (! xdr_reference(xdrs, (caddr_t *)rp,
139 (u_int)sizeof (rpcblist), (xdrproc_t)xdr_rpcb)) {
140 return (FALSE);
141 }
142 if (freeing) {
143 next_copy = next;
144 rp = &next_copy;
145 /*
146 * Note that in the subsequent iteration, next_copy
147 * gets nulled out by the xdr_reference
148 * but next itself survives.
149 */
150 } else {
151 rp = &((*rp)->rpcb_next);
152 }
153 }
154 /*NOTREACHED*/
155 }
156
157 /*
158 * xdr_rpcblist() is specified to take a RPCBLIST **, but is identical in
159 * functionality to xdr_rpcblist_ptr().
160 */
161 bool_t
162 xdr_rpcblist(xdrs, rp)
163 XDR *xdrs;
164 RPCBLIST **rp;
165 {
166 bool_t dummy;
167
168 dummy = xdr_rpcblist_ptr(xdrs, (rpcblist_ptr *)rp);
169 return (dummy);
170 }
171
172
173 bool_t
174 xdr_rpcb_entry(xdrs, objp)
175 XDR *xdrs;
176 rpcb_entry *objp;
177 {
178 #ifndef __REACTOS__ // CVE-2017-8779
179 if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
180 return (FALSE);
181 }
182 if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
183 return (FALSE);
184 }
185 #else
186 if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
187 return (FALSE);
188 }
189 if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
190 return (FALSE);
191 }
192 #endif
193 if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
194 return (FALSE);
195 }
196 #ifndef __REACTOS__ // CVE-2017-8779
197 if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
198 return (FALSE);
199 }
200 if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
201 return (FALSE);
202 }
203 #else
204 if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
205 return (FALSE);
206 }
207 if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
208 return (FALSE);
209 }
210 #endif
211 return (TRUE);
212 }
213
214 bool_t
215 xdr_rpcb_entry_list_ptr(xdrs, rp)
216 XDR *xdrs;
217 rpcb_entry_list_ptr *rp;
218 {
219 /*
220 * more_elements is pre-computed in case the direction is
221 * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
222 * xdr_bool when the direction is XDR_DECODE.
223 */
224 bool_t more_elements;
225 int freeing = (xdrs->x_op == XDR_FREE);
226 rpcb_entry_list_ptr next;
227 rpcb_entry_list_ptr next_copy;
228
229 next = NULL;
230 for (;;) {
231 more_elements = (bool_t)(*rp != NULL);
232 if (! xdr_bool(xdrs, &more_elements)) {
233 return (FALSE);
234 }
235 if (! more_elements) {
236 return (TRUE); /* we are done */
237 }
238 /*
239 * the unfortunate side effect of non-recursion is that in
240 * the case of freeing we must remember the next object
241 * before we free the current object ...
242 */
243 if (freeing)
244 next = (*rp)->rpcb_entry_next;
245 if (! xdr_reference(xdrs, (caddr_t *)rp,
246 (u_int)sizeof (rpcb_entry_list),
247 (xdrproc_t)xdr_rpcb_entry)) {
248 return (FALSE);
249 }
250 if (freeing) {
251 next_copy = next;
252 rp = &next_copy;
253 /*
254 * Note that in the subsequent iteration, next_copy
255 * gets nulled out by the xdr_reference
256 * but next itself survives.
257 */
258 } else {
259 rp = &((*rp)->rpcb_entry_next);
260 }
261 }
262 /*NOTREACHED*/
263 }
264
265 /*
266 * XDR remote call arguments
267 * written for XDR_ENCODE direction only
268 */
269 bool_t
270 xdr_rpcb_rmtcallargs(xdrs, p)
271 XDR *xdrs;
272 struct rpcb_rmtcallargs *p;
273 {
274 struct r_rpcb_rmtcallargs *objp =
275 (struct r_rpcb_rmtcallargs *)(void *)p;
276 u_int lenposition, argposition, position;
277 int32_t *buf;
278
279 buf = XDR_INLINE(xdrs, 3 * BYTES_PER_XDR_UNIT);
280 if (buf == NULL) {
281 if (!xdr_u_int32_t(xdrs, &objp->prog)) {
282 return (FALSE);
283 }
284 if (!xdr_u_int32_t(xdrs, &objp->vers)) {
285 return (FALSE);
286 }
287 if (!xdr_u_int32_t(xdrs, &objp->proc)) {
288 return (FALSE);
289 }
290 } else {
291 IXDR_PUT_U_INT32(buf, objp->prog);
292 IXDR_PUT_U_INT32(buf, objp->vers);
293 IXDR_PUT_U_INT32(buf, objp->proc);
294 }
295
296 /*
297 * All the jugglery for just getting the size of the arguments
298 */
299 lenposition = XDR_GETPOS(xdrs);
300 if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
301 return (FALSE);
302 }
303 argposition = XDR_GETPOS(xdrs);
304 if (! (*objp->xdr_args)(xdrs, objp->args.args_val)) {
305 return (FALSE);
306 }
307 position = XDR_GETPOS(xdrs);
308 objp->args.args_len = (u_int)((u_long)position - (u_long)argposition);
309 XDR_SETPOS(xdrs, lenposition);
310 if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
311 return (FALSE);
312 }
313 XDR_SETPOS(xdrs, position);
314 return (TRUE);
315 }
316
317 /*
318 * XDR remote call results
319 * written for XDR_DECODE direction only
320 */
321 bool_t
322 xdr_rpcb_rmtcallres(xdrs, p)
323 XDR *xdrs;
324 struct rpcb_rmtcallres *p;
325 {
326 bool_t dummy;
327 struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
328
329 #ifdef __REACTOS__ // CVE-2017-8779
330 if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
331 #else
332 if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
333 #endif
334 return (FALSE);
335 }
336 if (!xdr_u_int(xdrs, &objp->results.results_len)) {
337 return (FALSE);
338 }
339 dummy = (*(objp->xdr_res))(xdrs, objp->results.results_val);
340 return (dummy);
341 }
342
343 bool_t
344 xdr_netbuf(xdrs, objp)
345 XDR *xdrs;
346 struct netbuf *objp;
347 {
348 bool_t dummy;
349
350 if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
351 return (FALSE);
352 }
353 #ifdef __REACTOS__ // CVE-2017-8779
354
355 if (objp->maxlen > RPC_MAXDATASIZE) {
356 return (FALSE);
357 }
358
359 #endif
360 dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
361 (u_int *)&(objp->len), objp->maxlen);
362 return (dummy);
363 }