1 2 /* 3 * Copyright (c) 2009, Sun Microsystems, Inc. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * - Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * - Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * - Neither the name of Sun Microsystems, Inc. nor the names of its 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 /* 30 * Copyright (c) 1986-1991 by Sun Microsystems Inc. 31 */ 32 33 /* 34 * rpcb_prot.c 35 * XDR routines for the rpcbinder version 3. 36 * 37 * Copyright (C) 1984, 1988, Sun Microsystems, Inc. 38 */ 39 40 #include <wintirpc.h> 41 #include <rpc/rpc.h> 42 #include <rpc/types.h> 43 #include <rpc/xdr.h> 44 #include <rpc/rpcb_prot.h> 45 #ifdef __REACTOS__ // CVE-2017-8779 46 #include "rpc_com.h" 47 #endif 48 49 bool_t 50 xdr_rpcb(xdrs, objp) 51 XDR *xdrs; 52 RPCB *objp; 53 { 54 if (!xdr_u_int32_t(xdrs, &objp->r_prog)) { 55 return (FALSE); 56 } 57 if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { 58 return (FALSE); 59 } 60 #ifndef __REACTOS__ // CVE-2017-8779 61 if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { 62 return (FALSE); 63 } 64 if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { 65 return (FALSE); 66 } 67 if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { 68 return (FALSE); 69 } 70 #else 71 if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { 72 return (FALSE); 73 } 74 if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { 75 return (FALSE); 76 } 77 if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { 78 return (FALSE); 79 } 80 #endif 81 return (TRUE); 82 } 83 84 /* 85 * rpcblist_ptr implements a linked list. The RPCL definition from 86 * rpcb_prot.x is: 87 * 88 * struct rpcblist { 89 * rpcb rpcb_map; 90 * struct rpcblist *rpcb_next; 91 * }; 92 * typedef rpcblist *rpcblist_ptr; 93 * 94 * Recall that "pointers" in XDR are encoded as a boolean, indicating whether 95 * there's any data behind the pointer, followed by the data (if any exists). 96 * The boolean can be interpreted as ``more data follows me''; if FALSE then 97 * nothing follows the boolean; if TRUE then the boolean is followed by an 98 * actual struct rpcb, and another rpcblist_ptr (declared in RPCL as "struct 99 * rpcblist *"). 100 * 101 * This could be implemented via the xdr_pointer type, though this would 102 * result in one recursive call per element in the list. Rather than do that 103 * we can ``unwind'' the recursion into a while loop and use xdr_reference to 104 * serialize the rpcb elements. 105 */ 106 107 bool_t 108 xdr_rpcblist_ptr(xdrs, rp) 109 XDR *xdrs; 110 rpcblist_ptr *rp; 111 { 112 /* 113 * more_elements is pre-computed in case the direction is 114 * XDR_ENCODE or XDR_FREE. more_elements is overwritten by 115 * xdr_bool when the direction is XDR_DECODE. 116 */ 117 bool_t more_elements; 118 int freeing = (xdrs->x_op == XDR_FREE); 119 rpcblist_ptr next; 120 rpcblist_ptr next_copy; 121 122 next = NULL; 123 for (;;) { 124 more_elements = (bool_t)(*rp != NULL); 125 if (! xdr_bool(xdrs, &more_elements)) { 126 return (FALSE); 127 } 128 if (! more_elements) { 129 return (TRUE); /* we are done */ 130 } 131 /* 132 * the unfortunate side effect of non-recursion is that in 133 * the case of freeing we must remember the next object 134 * before we free the current object ... 135 */ 136 if (freeing) 137 next = (*rp)->rpcb_next; 138 if (! xdr_reference(xdrs, (caddr_t *)rp, 139 (u_int)sizeof (rpcblist), (xdrproc_t)xdr_rpcb)) { 140 return (FALSE); 141 } 142 if (freeing) { 143 next_copy = next; 144 rp = &next_copy; 145 /* 146 * Note that in the subsequent iteration, next_copy 147 * gets nulled out by the xdr_reference 148 * but next itself survives. 149 */ 150 } else { 151 rp = &((*rp)->rpcb_next); 152 } 153 } 154 /*NOTREACHED*/ 155 } 156 157 /* 158 * xdr_rpcblist() is specified to take a RPCBLIST **, but is identical in 159 * functionality to xdr_rpcblist_ptr(). 160 */ 161 bool_t 162 xdr_rpcblist(xdrs, rp) 163 XDR *xdrs; 164 RPCBLIST **rp; 165 { 166 bool_t dummy; 167 168 dummy = xdr_rpcblist_ptr(xdrs, (rpcblist_ptr *)rp); 169 return (dummy); 170 } 171 172 173 bool_t 174 xdr_rpcb_entry(xdrs, objp) 175 XDR *xdrs; 176 rpcb_entry *objp; 177 { 178 #ifndef __REACTOS__ // CVE-2017-8779 179 if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { 180 return (FALSE); 181 } 182 if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { 183 return (FALSE); 184 } 185 #else 186 if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { 187 return (FALSE); 188 } 189 if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { 190 return (FALSE); 191 } 192 #endif 193 if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { 194 return (FALSE); 195 } 196 #ifndef __REACTOS__ // CVE-2017-8779 197 if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { 198 return (FALSE); 199 } 200 if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { 201 return (FALSE); 202 } 203 #else 204 if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { 205 return (FALSE); 206 } 207 if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { 208 return (FALSE); 209 } 210 #endif 211 return (TRUE); 212 } 213 214 bool_t 215 xdr_rpcb_entry_list_ptr(xdrs, rp) 216 XDR *xdrs; 217 rpcb_entry_list_ptr *rp; 218 { 219 /* 220 * more_elements is pre-computed in case the direction is 221 * XDR_ENCODE or XDR_FREE. more_elements is overwritten by 222 * xdr_bool when the direction is XDR_DECODE. 223 */ 224 bool_t more_elements; 225 int freeing = (xdrs->x_op == XDR_FREE); 226 rpcb_entry_list_ptr next; 227 rpcb_entry_list_ptr next_copy; 228 229 next = NULL; 230 for (;;) { 231 more_elements = (bool_t)(*rp != NULL); 232 if (! xdr_bool(xdrs, &more_elements)) { 233 return (FALSE); 234 } 235 if (! more_elements) { 236 return (TRUE); /* we are done */ 237 } 238 /* 239 * the unfortunate side effect of non-recursion is that in 240 * the case of freeing we must remember the next object 241 * before we free the current object ... 242 */ 243 if (freeing) 244 next = (*rp)->rpcb_entry_next; 245 if (! xdr_reference(xdrs, (caddr_t *)rp, 246 (u_int)sizeof (rpcb_entry_list), 247 (xdrproc_t)xdr_rpcb_entry)) { 248 return (FALSE); 249 } 250 if (freeing) { 251 next_copy = next; 252 rp = &next_copy; 253 /* 254 * Note that in the subsequent iteration, next_copy 255 * gets nulled out by the xdr_reference 256 * but next itself survives. 257 */ 258 } else { 259 rp = &((*rp)->rpcb_entry_next); 260 } 261 } 262 /*NOTREACHED*/ 263 } 264 265 /* 266 * XDR remote call arguments 267 * written for XDR_ENCODE direction only 268 */ 269 bool_t 270 xdr_rpcb_rmtcallargs(xdrs, p) 271 XDR *xdrs; 272 struct rpcb_rmtcallargs *p; 273 { 274 struct r_rpcb_rmtcallargs *objp = 275 (struct r_rpcb_rmtcallargs *)(void *)p; 276 u_int lenposition, argposition, position; 277 int32_t *buf; 278 279 buf = XDR_INLINE(xdrs, 3 * BYTES_PER_XDR_UNIT); 280 if (buf == NULL) { 281 if (!xdr_u_int32_t(xdrs, &objp->prog)) { 282 return (FALSE); 283 } 284 if (!xdr_u_int32_t(xdrs, &objp->vers)) { 285 return (FALSE); 286 } 287 if (!xdr_u_int32_t(xdrs, &objp->proc)) { 288 return (FALSE); 289 } 290 } else { 291 IXDR_PUT_U_INT32(buf, objp->prog); 292 IXDR_PUT_U_INT32(buf, objp->vers); 293 IXDR_PUT_U_INT32(buf, objp->proc); 294 } 295 296 /* 297 * All the jugglery for just getting the size of the arguments 298 */ 299 lenposition = XDR_GETPOS(xdrs); 300 if (! xdr_u_int(xdrs, &(objp->args.args_len))) { 301 return (FALSE); 302 } 303 argposition = XDR_GETPOS(xdrs); 304 if (! (*objp->xdr_args)(xdrs, objp->args.args_val)) { 305 return (FALSE); 306 } 307 position = XDR_GETPOS(xdrs); 308 objp->args.args_len = (u_int)((u_long)position - (u_long)argposition); 309 XDR_SETPOS(xdrs, lenposition); 310 if (! xdr_u_int(xdrs, &(objp->args.args_len))) { 311 return (FALSE); 312 } 313 XDR_SETPOS(xdrs, position); 314 return (TRUE); 315 } 316 317 /* 318 * XDR remote call results 319 * written for XDR_DECODE direction only 320 */ 321 bool_t 322 xdr_rpcb_rmtcallres(xdrs, p) 323 XDR *xdrs; 324 struct rpcb_rmtcallres *p; 325 { 326 bool_t dummy; 327 struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; 328 329 #ifdef __REACTOS__ // CVE-2017-8779 330 if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { 331 #else 332 if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { 333 #endif 334 return (FALSE); 335 } 336 if (!xdr_u_int(xdrs, &objp->results.results_len)) { 337 return (FALSE); 338 } 339 dummy = (*(objp->xdr_res))(xdrs, objp->results.results_val); 340 return (dummy); 341 } 342 343 bool_t 344 xdr_netbuf(xdrs, objp) 345 XDR *xdrs; 346 struct netbuf *objp; 347 { 348 bool_t dummy; 349 350 if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { 351 return (FALSE); 352 } 353 #ifdef __REACTOS__ // CVE-2017-8779 354 355 if (objp->maxlen > RPC_MAXDATASIZE) { 356 return (FALSE); 357 } 358 359 #endif 360 dummy = xdr_bytes(xdrs, (char **)&(objp->buf), 361 (u_int *)&(objp->len), objp->maxlen); 362 return (dummy); 363 } 364