1c2c66affSColin Finck
2c2c66affSColin Finck /*
3c2c66affSColin Finck * Copyright (c) 2009, Sun Microsystems, Inc.
4c2c66affSColin Finck * All rights reserved.
5c2c66affSColin Finck *
6c2c66affSColin Finck * Redistribution and use in source and binary forms, with or without
7c2c66affSColin Finck * modification, are permitted provided that the following conditions are met:
8c2c66affSColin Finck * - Redistributions of source code must retain the above copyright notice,
9c2c66affSColin Finck * this list of conditions and the following disclaimer.
10c2c66affSColin Finck * - Redistributions in binary form must reproduce the above copyright notice,
11c2c66affSColin Finck * this list of conditions and the following disclaimer in the documentation
12c2c66affSColin Finck * and/or other materials provided with the distribution.
13c2c66affSColin Finck * - Neither the name of Sun Microsystems, Inc. nor the names of its
14c2c66affSColin Finck * contributors may be used to endorse or promote products derived
15c2c66affSColin Finck * from this software without specific prior written permission.
16c2c66affSColin Finck *
17c2c66affSColin Finck * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18c2c66affSColin Finck * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19c2c66affSColin Finck * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20c2c66affSColin Finck * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
21c2c66affSColin Finck * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22c2c66affSColin Finck * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23c2c66affSColin Finck * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24c2c66affSColin Finck * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25c2c66affSColin Finck * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26c2c66affSColin Finck * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27c2c66affSColin Finck * POSSIBILITY OF SUCH DAMAGE.
28c2c66affSColin Finck */
29c2c66affSColin Finck /*
30c2c66affSColin Finck * Copyright (c) 1986-1991 by Sun Microsystems Inc.
31c2c66affSColin Finck */
32c2c66affSColin Finck
33c2c66affSColin Finck /*
34c2c66affSColin Finck * rpcb_prot.c
35c2c66affSColin Finck * XDR routines for the rpcbinder version 3.
36c2c66affSColin Finck *
37c2c66affSColin Finck * Copyright (C) 1984, 1988, Sun Microsystems, Inc.
38c2c66affSColin Finck */
39c2c66affSColin Finck
40c2c66affSColin Finck #include <wintirpc.h>
41c2c66affSColin Finck #include <rpc/rpc.h>
42c2c66affSColin Finck #include <rpc/types.h>
43c2c66affSColin Finck #include <rpc/xdr.h>
44c2c66affSColin Finck #include <rpc/rpcb_prot.h>
45*6808e7d2SPierre Schweitzer #ifdef __REACTOS__ // CVE-2017-8779
46*6808e7d2SPierre Schweitzer #include "rpc_com.h"
47*6808e7d2SPierre Schweitzer #endif
48c2c66affSColin Finck
49c2c66affSColin Finck bool_t
xdr_rpcb(xdrs,objp)50c2c66affSColin Finck xdr_rpcb(xdrs, objp)
51c2c66affSColin Finck XDR *xdrs;
52c2c66affSColin Finck RPCB *objp;
53c2c66affSColin Finck {
54c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->r_prog)) {
55c2c66affSColin Finck return (FALSE);
56c2c66affSColin Finck }
57c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
58c2c66affSColin Finck return (FALSE);
59c2c66affSColin Finck }
60*6808e7d2SPierre Schweitzer #ifndef __REACTOS__ // CVE-2017-8779
61c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
62c2c66affSColin Finck return (FALSE);
63c2c66affSColin Finck }
64c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
65c2c66affSColin Finck return (FALSE);
66c2c66affSColin Finck }
67c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
68c2c66affSColin Finck return (FALSE);
69c2c66affSColin Finck }
70*6808e7d2SPierre Schweitzer #else
71*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
72*6808e7d2SPierre Schweitzer return (FALSE);
73*6808e7d2SPierre Schweitzer }
74*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
75*6808e7d2SPierre Schweitzer return (FALSE);
76*6808e7d2SPierre Schweitzer }
77*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
78*6808e7d2SPierre Schweitzer return (FALSE);
79*6808e7d2SPierre Schweitzer }
80*6808e7d2SPierre Schweitzer #endif
81c2c66affSColin Finck return (TRUE);
82c2c66affSColin Finck }
83c2c66affSColin Finck
84c2c66affSColin Finck /*
85c2c66affSColin Finck * rpcblist_ptr implements a linked list. The RPCL definition from
86c2c66affSColin Finck * rpcb_prot.x is:
87c2c66affSColin Finck *
88c2c66affSColin Finck * struct rpcblist {
89c2c66affSColin Finck * rpcb rpcb_map;
90c2c66affSColin Finck * struct rpcblist *rpcb_next;
91c2c66affSColin Finck * };
92c2c66affSColin Finck * typedef rpcblist *rpcblist_ptr;
93c2c66affSColin Finck *
94c2c66affSColin Finck * Recall that "pointers" in XDR are encoded as a boolean, indicating whether
95c2c66affSColin Finck * there's any data behind the pointer, followed by the data (if any exists).
96c2c66affSColin Finck * The boolean can be interpreted as ``more data follows me''; if FALSE then
97c2c66affSColin Finck * nothing follows the boolean; if TRUE then the boolean is followed by an
98c2c66affSColin Finck * actual struct rpcb, and another rpcblist_ptr (declared in RPCL as "struct
99c2c66affSColin Finck * rpcblist *").
100c2c66affSColin Finck *
101c2c66affSColin Finck * This could be implemented via the xdr_pointer type, though this would
102c2c66affSColin Finck * result in one recursive call per element in the list. Rather than do that
103c2c66affSColin Finck * we can ``unwind'' the recursion into a while loop and use xdr_reference to
104c2c66affSColin Finck * serialize the rpcb elements.
105c2c66affSColin Finck */
106c2c66affSColin Finck
107c2c66affSColin Finck bool_t
xdr_rpcblist_ptr(xdrs,rp)108c2c66affSColin Finck xdr_rpcblist_ptr(xdrs, rp)
109c2c66affSColin Finck XDR *xdrs;
110c2c66affSColin Finck rpcblist_ptr *rp;
111c2c66affSColin Finck {
112c2c66affSColin Finck /*
113c2c66affSColin Finck * more_elements is pre-computed in case the direction is
114c2c66affSColin Finck * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
115c2c66affSColin Finck * xdr_bool when the direction is XDR_DECODE.
116c2c66affSColin Finck */
117c2c66affSColin Finck bool_t more_elements;
118c2c66affSColin Finck int freeing = (xdrs->x_op == XDR_FREE);
119c2c66affSColin Finck rpcblist_ptr next;
120c2c66affSColin Finck rpcblist_ptr next_copy;
121c2c66affSColin Finck
122c2c66affSColin Finck next = NULL;
123c2c66affSColin Finck for (;;) {
124c2c66affSColin Finck more_elements = (bool_t)(*rp != NULL);
125c2c66affSColin Finck if (! xdr_bool(xdrs, &more_elements)) {
126c2c66affSColin Finck return (FALSE);
127c2c66affSColin Finck }
128c2c66affSColin Finck if (! more_elements) {
129c2c66affSColin Finck return (TRUE); /* we are done */
130c2c66affSColin Finck }
131c2c66affSColin Finck /*
132c2c66affSColin Finck * the unfortunate side effect of non-recursion is that in
133c2c66affSColin Finck * the case of freeing we must remember the next object
134c2c66affSColin Finck * before we free the current object ...
135c2c66affSColin Finck */
136c2c66affSColin Finck if (freeing)
137c2c66affSColin Finck next = (*rp)->rpcb_next;
138c2c66affSColin Finck if (! xdr_reference(xdrs, (caddr_t *)rp,
139c2c66affSColin Finck (u_int)sizeof (rpcblist), (xdrproc_t)xdr_rpcb)) {
140c2c66affSColin Finck return (FALSE);
141c2c66affSColin Finck }
142c2c66affSColin Finck if (freeing) {
143c2c66affSColin Finck next_copy = next;
144c2c66affSColin Finck rp = &next_copy;
145c2c66affSColin Finck /*
146c2c66affSColin Finck * Note that in the subsequent iteration, next_copy
147c2c66affSColin Finck * gets nulled out by the xdr_reference
148c2c66affSColin Finck * but next itself survives.
149c2c66affSColin Finck */
150c2c66affSColin Finck } else {
151c2c66affSColin Finck rp = &((*rp)->rpcb_next);
152c2c66affSColin Finck }
153c2c66affSColin Finck }
154c2c66affSColin Finck /*NOTREACHED*/
155c2c66affSColin Finck }
156c2c66affSColin Finck
157c2c66affSColin Finck /*
158c2c66affSColin Finck * xdr_rpcblist() is specified to take a RPCBLIST **, but is identical in
159c2c66affSColin Finck * functionality to xdr_rpcblist_ptr().
160c2c66affSColin Finck */
161c2c66affSColin Finck bool_t
xdr_rpcblist(xdrs,rp)162c2c66affSColin Finck xdr_rpcblist(xdrs, rp)
163c2c66affSColin Finck XDR *xdrs;
164c2c66affSColin Finck RPCBLIST **rp;
165c2c66affSColin Finck {
166c2c66affSColin Finck bool_t dummy;
167c2c66affSColin Finck
168c2c66affSColin Finck dummy = xdr_rpcblist_ptr(xdrs, (rpcblist_ptr *)rp);
169c2c66affSColin Finck return (dummy);
170c2c66affSColin Finck }
171c2c66affSColin Finck
172c2c66affSColin Finck
173c2c66affSColin Finck bool_t
xdr_rpcb_entry(xdrs,objp)174c2c66affSColin Finck xdr_rpcb_entry(xdrs, objp)
175c2c66affSColin Finck XDR *xdrs;
176c2c66affSColin Finck rpcb_entry *objp;
177c2c66affSColin Finck {
178*6808e7d2SPierre Schweitzer #ifndef __REACTOS__ // CVE-2017-8779
179c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
180c2c66affSColin Finck return (FALSE);
181c2c66affSColin Finck }
182c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
183c2c66affSColin Finck return (FALSE);
184c2c66affSColin Finck }
185*6808e7d2SPierre Schweitzer #else
186*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
187*6808e7d2SPierre Schweitzer return (FALSE);
188*6808e7d2SPierre Schweitzer }
189*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
190*6808e7d2SPierre Schweitzer return (FALSE);
191*6808e7d2SPierre Schweitzer }
192*6808e7d2SPierre Schweitzer #endif
193c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
194c2c66affSColin Finck return (FALSE);
195c2c66affSColin Finck }
196*6808e7d2SPierre Schweitzer #ifndef __REACTOS__ // CVE-2017-8779
197c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
198c2c66affSColin Finck return (FALSE);
199c2c66affSColin Finck }
200c2c66affSColin Finck if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
201c2c66affSColin Finck return (FALSE);
202c2c66affSColin Finck }
203*6808e7d2SPierre Schweitzer #else
204*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
205*6808e7d2SPierre Schweitzer return (FALSE);
206*6808e7d2SPierre Schweitzer }
207*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
208*6808e7d2SPierre Schweitzer return (FALSE);
209*6808e7d2SPierre Schweitzer }
210*6808e7d2SPierre Schweitzer #endif
211c2c66affSColin Finck return (TRUE);
212c2c66affSColin Finck }
213c2c66affSColin Finck
214c2c66affSColin Finck bool_t
xdr_rpcb_entry_list_ptr(xdrs,rp)215c2c66affSColin Finck xdr_rpcb_entry_list_ptr(xdrs, rp)
216c2c66affSColin Finck XDR *xdrs;
217c2c66affSColin Finck rpcb_entry_list_ptr *rp;
218c2c66affSColin Finck {
219c2c66affSColin Finck /*
220c2c66affSColin Finck * more_elements is pre-computed in case the direction is
221c2c66affSColin Finck * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
222c2c66affSColin Finck * xdr_bool when the direction is XDR_DECODE.
223c2c66affSColin Finck */
224c2c66affSColin Finck bool_t more_elements;
225c2c66affSColin Finck int freeing = (xdrs->x_op == XDR_FREE);
226c2c66affSColin Finck rpcb_entry_list_ptr next;
227c2c66affSColin Finck rpcb_entry_list_ptr next_copy;
228c2c66affSColin Finck
229c2c66affSColin Finck next = NULL;
230c2c66affSColin Finck for (;;) {
231c2c66affSColin Finck more_elements = (bool_t)(*rp != NULL);
232c2c66affSColin Finck if (! xdr_bool(xdrs, &more_elements)) {
233c2c66affSColin Finck return (FALSE);
234c2c66affSColin Finck }
235c2c66affSColin Finck if (! more_elements) {
236c2c66affSColin Finck return (TRUE); /* we are done */
237c2c66affSColin Finck }
238c2c66affSColin Finck /*
239c2c66affSColin Finck * the unfortunate side effect of non-recursion is that in
240c2c66affSColin Finck * the case of freeing we must remember the next object
241c2c66affSColin Finck * before we free the current object ...
242c2c66affSColin Finck */
243c2c66affSColin Finck if (freeing)
244c2c66affSColin Finck next = (*rp)->rpcb_entry_next;
245c2c66affSColin Finck if (! xdr_reference(xdrs, (caddr_t *)rp,
246c2c66affSColin Finck (u_int)sizeof (rpcb_entry_list),
247c2c66affSColin Finck (xdrproc_t)xdr_rpcb_entry)) {
248c2c66affSColin Finck return (FALSE);
249c2c66affSColin Finck }
250c2c66affSColin Finck if (freeing) {
251c2c66affSColin Finck next_copy = next;
252c2c66affSColin Finck rp = &next_copy;
253c2c66affSColin Finck /*
254c2c66affSColin Finck * Note that in the subsequent iteration, next_copy
255c2c66affSColin Finck * gets nulled out by the xdr_reference
256c2c66affSColin Finck * but next itself survives.
257c2c66affSColin Finck */
258c2c66affSColin Finck } else {
259c2c66affSColin Finck rp = &((*rp)->rpcb_entry_next);
260c2c66affSColin Finck }
261c2c66affSColin Finck }
262c2c66affSColin Finck /*NOTREACHED*/
263c2c66affSColin Finck }
264c2c66affSColin Finck
265c2c66affSColin Finck /*
266c2c66affSColin Finck * XDR remote call arguments
267c2c66affSColin Finck * written for XDR_ENCODE direction only
268c2c66affSColin Finck */
269c2c66affSColin Finck bool_t
xdr_rpcb_rmtcallargs(xdrs,p)270c2c66affSColin Finck xdr_rpcb_rmtcallargs(xdrs, p)
271c2c66affSColin Finck XDR *xdrs;
272c2c66affSColin Finck struct rpcb_rmtcallargs *p;
273c2c66affSColin Finck {
274c2c66affSColin Finck struct r_rpcb_rmtcallargs *objp =
275c2c66affSColin Finck (struct r_rpcb_rmtcallargs *)(void *)p;
276c2c66affSColin Finck u_int lenposition, argposition, position;
277c2c66affSColin Finck int32_t *buf;
278c2c66affSColin Finck
279c2c66affSColin Finck buf = XDR_INLINE(xdrs, 3 * BYTES_PER_XDR_UNIT);
280c2c66affSColin Finck if (buf == NULL) {
281c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->prog)) {
282c2c66affSColin Finck return (FALSE);
283c2c66affSColin Finck }
284c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->vers)) {
285c2c66affSColin Finck return (FALSE);
286c2c66affSColin Finck }
287c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, &objp->proc)) {
288c2c66affSColin Finck return (FALSE);
289c2c66affSColin Finck }
290c2c66affSColin Finck } else {
291c2c66affSColin Finck IXDR_PUT_U_INT32(buf, objp->prog);
292c2c66affSColin Finck IXDR_PUT_U_INT32(buf, objp->vers);
293c2c66affSColin Finck IXDR_PUT_U_INT32(buf, objp->proc);
294c2c66affSColin Finck }
295c2c66affSColin Finck
296c2c66affSColin Finck /*
297c2c66affSColin Finck * All the jugglery for just getting the size of the arguments
298c2c66affSColin Finck */
299c2c66affSColin Finck lenposition = XDR_GETPOS(xdrs);
300c2c66affSColin Finck if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
301c2c66affSColin Finck return (FALSE);
302c2c66affSColin Finck }
303c2c66affSColin Finck argposition = XDR_GETPOS(xdrs);
304c2c66affSColin Finck if (! (*objp->xdr_args)(xdrs, objp->args.args_val)) {
305c2c66affSColin Finck return (FALSE);
306c2c66affSColin Finck }
307c2c66affSColin Finck position = XDR_GETPOS(xdrs);
308c2c66affSColin Finck objp->args.args_len = (u_int)((u_long)position - (u_long)argposition);
309c2c66affSColin Finck XDR_SETPOS(xdrs, lenposition);
310c2c66affSColin Finck if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
311c2c66affSColin Finck return (FALSE);
312c2c66affSColin Finck }
313c2c66affSColin Finck XDR_SETPOS(xdrs, position);
314c2c66affSColin Finck return (TRUE);
315c2c66affSColin Finck }
316c2c66affSColin Finck
317c2c66affSColin Finck /*
318c2c66affSColin Finck * XDR remote call results
319c2c66affSColin Finck * written for XDR_DECODE direction only
320c2c66affSColin Finck */
321c2c66affSColin Finck bool_t
xdr_rpcb_rmtcallres(xdrs,p)322c2c66affSColin Finck xdr_rpcb_rmtcallres(xdrs, p)
323c2c66affSColin Finck XDR *xdrs;
324c2c66affSColin Finck struct rpcb_rmtcallres *p;
325c2c66affSColin Finck {
326c2c66affSColin Finck bool_t dummy;
327c2c66affSColin Finck struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
328c2c66affSColin Finck
329*6808e7d2SPierre Schweitzer #ifdef __REACTOS__ // CVE-2017-8779
330*6808e7d2SPierre Schweitzer if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
331*6808e7d2SPierre Schweitzer #else
332c2c66affSColin Finck if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
333*6808e7d2SPierre Schweitzer #endif
334c2c66affSColin Finck return (FALSE);
335c2c66affSColin Finck }
336c2c66affSColin Finck if (!xdr_u_int(xdrs, &objp->results.results_len)) {
337c2c66affSColin Finck return (FALSE);
338c2c66affSColin Finck }
339c2c66affSColin Finck dummy = (*(objp->xdr_res))(xdrs, objp->results.results_val);
340c2c66affSColin Finck return (dummy);
341c2c66affSColin Finck }
342c2c66affSColin Finck
343c2c66affSColin Finck bool_t
xdr_netbuf(xdrs,objp)344c2c66affSColin Finck xdr_netbuf(xdrs, objp)
345c2c66affSColin Finck XDR *xdrs;
346c2c66affSColin Finck struct netbuf *objp;
347c2c66affSColin Finck {
348c2c66affSColin Finck bool_t dummy;
349c2c66affSColin Finck
350c2c66affSColin Finck if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
351c2c66affSColin Finck return (FALSE);
352c2c66affSColin Finck }
353*6808e7d2SPierre Schweitzer #ifdef __REACTOS__ // CVE-2017-8779
354*6808e7d2SPierre Schweitzer
355*6808e7d2SPierre Schweitzer if (objp->maxlen > RPC_MAXDATASIZE) {
356*6808e7d2SPierre Schweitzer return (FALSE);
357*6808e7d2SPierre Schweitzer }
358*6808e7d2SPierre Schweitzer
359*6808e7d2SPierre Schweitzer #endif
360c2c66affSColin Finck dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
361c2c66affSColin Finck (u_int *)&(objp->len), objp->maxlen);
362c2c66affSColin Finck return (dummy);
363c2c66affSColin Finck }
364