Set reasonable limits for xdr_requests.

[BZ #15553] Increased the current limits large enough to load large
key and data values, but small enough to not pose a DoS threat.

diff --git a/ChangeLog b/ChangeLog
index 89b7bce..9134d18 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
-2012-05-30  Jeff Law  <law@redhat.com>
+2013-05-30  Patsy Franklin  <pfrankli@redhat.com>
+
+       [BZ # 15553]
+       * nis/yp_xdr.c (XDRMAXNAME): Define.
+       (XDRMAXRECORD): Define.
+       (xdr_domainname): Use XDRMAXNAME.
+       (xdr_mapname): Likewise.
+       (xdr_peername): Likewise.
+       (xdr_keydat): Use XDRMAXRECORD.
+       (xdr_valdat): Likewise.
+
+2013-05-30  Jeff Law  <law@redhat.com>
 
        [BZ #14256]
        * manual/errno.texi (ESTALE): Update to account for more than

diff --git a/NEWS b/NEWS
index a66a9d7..acfc19c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -19,7 +19,7 @@ Version 2.18
   15337, 15339, 15342, 15346, 15359, 15361, 15366, 15380, 15381, 15394,
   15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426,
   15429, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490, 15493,
-  15497, 15506, 15529.
+  15497, 15506, 15529, 15553.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).

diff --git a/nis/yp_xdr.c b/nis/yp_xdr.c
index 4188506..34566d1 100644 (file)
--- a/nis/yp_xdr.c
+++ b/nis/yp_xdr.c
@@ -32,6 +32,14 @@
 #include <rpcsvc/yp.h>
 #include <rpcsvc/ypclnt.h>
 
+/* The NIS v2 protocol suggests 1024 bytes as a maximum length of all fields.
+   Current Linux systems don't use this limit. To remain compatible with
+   recent Linux systems we choose limits large enough to load large key and
+   data values, but small enough to not pose a DoS threat. */
+
+#define XDRMAXNAME 1024
+#define XDRMAXRECORD (16 * 1024 * 1024)
+
 bool_t
 xdr_ypstat (XDR *xdrs, ypstat *objp)
 {
@@ -49,21 +57,21 @@ libnsl_hidden_def (xdr_ypxfrstat)
 bool_t
 xdr_domainname (XDR *xdrs, domainname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXDOMAIN);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_domainname)
 
 bool_t
 xdr_mapname (XDR *xdrs, mapname *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXMAP);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_mapname)
 
 bool_t
 xdr_peername (XDR *xdrs, peername *objp)
 {
-  return xdr_string (xdrs, objp, YPMAXPEER);
+  return xdr_string (xdrs, objp, XDRMAXNAME);
 }
 libnsl_hidden_def (xdr_peername)
 
@@ -71,7 +79,7 @@ bool_t
 xdr_keydat (XDR *xdrs, keydat *objp)
 {
   return xdr_bytes (xdrs, (char **) &objp->keydat_val,
-                   (u_int *) &objp->keydat_len, YPMAXRECORD);
+                   (u_int *) &objp->keydat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_keydat)
 
@@ -79,7 +87,7 @@ bool_t
 xdr_valdat (XDR *xdrs, valdat *objp)
 {
   return xdr_bytes (xdrs, (char **) &objp->valdat_val,
-                   (u_int *) &objp->valdat_len, YPMAXRECORD);
+                   (u_int *) &objp->valdat_len, XDRMAXRECORD);
 }
 libnsl_hidden_def (xdr_valdat)