ReactOS  0.4.15-dev-3720-g4cf9b79
rpcb_prot.c
Go to the documentation of this file.
1 
2 /*
3  * Copyright (c) 2009, Sun Microsystems, Inc.
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions are met:
8  * - Redistributions of source code must retain the above copyright notice,
9  * this list of conditions and the following disclaimer.
10  * - Redistributions in binary form must reproduce the above copyright notice,
11  * this list of conditions and the following disclaimer in the documentation
12  * and/or other materials provided with the distribution.
13  * - Neither the name of Sun Microsystems, Inc. nor the names of its
14  * contributors may be used to endorse or promote products derived
15  * from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
21  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 /*
30  * Copyright (c) 1986-1991 by Sun Microsystems Inc.
31  */
32 
33 /*
34  * rpcb_prot.c
35  * XDR routines for the rpcbinder version 3.
36  *
37  * Copyright (C) 1984, 1988, Sun Microsystems, Inc.
38  */
39 
40 #include <wintirpc.h>
41 #include <rpc/rpc.h>
42 #include <rpc/types.h>
43 #include <rpc/xdr.h>
44 #include <rpc/rpcb_prot.h>
45 #ifdef __REACTOS__ // CVE-2017-8779
46 #include "rpc_com.h"
47 #endif
48 
49 bool_t
50 xdr_rpcb(xdrs, objp)
51  XDR *xdrs;
52  RPCB *objp;
53 {
54  if (!xdr_u_int32_t(xdrs, &objp->r_prog)) {
55  return (FALSE);
56  }
57  if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
58  return (FALSE);
59  }
60 #ifndef __REACTOS__ // CVE-2017-8779
61  if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
62  return (FALSE);
63  }
64  if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
65  return (FALSE);
66  }
67  if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
68  return (FALSE);
69  }
70 #else
71  if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
72  return (FALSE);
73  }
74  if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
75  return (FALSE);
76  }
77  if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
78  return (FALSE);
79  }
80 #endif
81  return (TRUE);
82 }
83 
84 /*
85  * rpcblist_ptr implements a linked list. The RPCL definition from
86  * rpcb_prot.x is:
87  *
88  * struct rpcblist {
89  * rpcb rpcb_map;
90  * struct rpcblist *rpcb_next;
91  * };
92  * typedef rpcblist *rpcblist_ptr;
93  *
94  * Recall that "pointers" in XDR are encoded as a boolean, indicating whether
95  * there's any data behind the pointer, followed by the data (if any exists).
96  * The boolean can be interpreted as ``more data follows me''; if FALSE then
97  * nothing follows the boolean; if TRUE then the boolean is followed by an
98  * actual struct rpcb, and another rpcblist_ptr (declared in RPCL as "struct
99  * rpcblist *").
100  *
101  * This could be implemented via the xdr_pointer type, though this would
102  * result in one recursive call per element in the list. Rather than do that
103  * we can ``unwind'' the recursion into a while loop and use xdr_reference to
104  * serialize the rpcb elements.
105  */
106 
107 bool_t
108 xdr_rpcblist_ptr(xdrs, rp)
109  XDR *xdrs;
110  rpcblist_ptr *rp;
111 {
112  /*
113  * more_elements is pre-computed in case the direction is
114  * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
115  * xdr_bool when the direction is XDR_DECODE.
116  */
117  bool_t more_elements;
118  int freeing = (xdrs->x_op == XDR_FREE);
119  rpcblist_ptr next;
120  rpcblist_ptr next_copy;
121 
122  next = NULL;
123  for (;;) {
124  more_elements = (bool_t)(*rp != NULL);
125  if (! xdr_bool(xdrs, &more_elements)) {
126  return (FALSE);
127  }
128  if (! more_elements) {
129  return (TRUE); /* we are done */
130  }
131  /*
132  * the unfortunate side effect of non-recursion is that in
133  * the case of freeing we must remember the next object
134  * before we free the current object ...
135  */
136  if (freeing)
137  next = (*rp)->rpcb_next;
138  if (! xdr_reference(xdrs, (caddr_t *)rp,
139  (u_int)sizeof (rpcblist), (xdrproc_t)xdr_rpcb)) {
140  return (FALSE);
141  }
142  if (freeing) {
143  next_copy = next;
144  rp = &next_copy;
145  /*
146  * Note that in the subsequent iteration, next_copy
147  * gets nulled out by the xdr_reference
148  * but next itself survives.
149  */
150  } else {
151  rp = &((*rp)->rpcb_next);
152  }
153  }
154  /*NOTREACHED*/
155 }
156 
157 /*
158  * xdr_rpcblist() is specified to take a RPCBLIST **, but is identical in
159  * functionality to xdr_rpcblist_ptr().
160  */
161 bool_t
162 xdr_rpcblist(xdrs, rp)
163  XDR *xdrs;
164  RPCBLIST **rp;
165 {
166  bool_t dummy;
167 
168  dummy = xdr_rpcblist_ptr(xdrs, (rpcblist_ptr *)rp);
169  return (dummy);
170 }
171 
172 
173 bool_t
174 xdr_rpcb_entry(xdrs, objp)
175  XDR *xdrs;
176  rpcb_entry *objp;
177 {
178 #ifndef __REACTOS__ // CVE-2017-8779
179  if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
180  return (FALSE);
181  }
182  if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
183  return (FALSE);
184  }
185 #else
186  if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
187  return (FALSE);
188  }
189  if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
190  return (FALSE);
191  }
192 #endif
193  if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
194  return (FALSE);
195  }
196 #ifndef __REACTOS__ // CVE-2017-8779
197  if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
198  return (FALSE);
199  }
200  if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
201  return (FALSE);
202  }
203 #else
204  if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
205  return (FALSE);
206  }
207  if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
208  return (FALSE);
209  }
210 #endif
211  return (TRUE);
212 }
213 
214 bool_t
215 xdr_rpcb_entry_list_ptr(xdrs, rp)
216  XDR *xdrs;
217  rpcb_entry_list_ptr *rp;
218 {
219  /*
220  * more_elements is pre-computed in case the direction is
221  * XDR_ENCODE or XDR_FREE. more_elements is overwritten by
222  * xdr_bool when the direction is XDR_DECODE.
223  */
224  bool_t more_elements;
225  int freeing = (xdrs->x_op == XDR_FREE);
226  rpcb_entry_list_ptr next;
227  rpcb_entry_list_ptr next_copy;
228 
229  next = NULL;
230  for (;;) {
231  more_elements = (bool_t)(*rp != NULL);
232  if (! xdr_bool(xdrs, &more_elements)) {
233  return (FALSE);
234  }
235  if (! more_elements) {
236  return (TRUE); /* we are done */
237  }
238  /*
239  * the unfortunate side effect of non-recursion is that in
240  * the case of freeing we must remember the next object
241  * before we free the current object ...
242  */
243  if (freeing)
244  next = (*rp)->rpcb_entry_next;
245  if (! xdr_reference(xdrs, (caddr_t *)rp,
246  (u_int)sizeof (rpcb_entry_list),
247  (xdrproc_t)xdr_rpcb_entry)) {
248  return (FALSE);
249  }
250  if (freeing) {
251  next_copy = next;
252  rp = &next_copy;
253  /*
254  * Note that in the subsequent iteration, next_copy
255  * gets nulled out by the xdr_reference
256  * but next itself survives.
257  */
258  } else {
259  rp = &((*rp)->rpcb_entry_next);
260  }
261  }
262  /*NOTREACHED*/
263 }
264 
265 /*
266  * XDR remote call arguments
267  * written for XDR_ENCODE direction only
268  */
269 bool_t
270 xdr_rpcb_rmtcallargs(xdrs, p)
271  XDR *xdrs;
272  struct rpcb_rmtcallargs *p;
273 {
274  struct r_rpcb_rmtcallargs *objp =
275  (struct r_rpcb_rmtcallargs *)(void *)p;
276  u_int lenposition, argposition, position;
277  int32_t *buf;
278 
279  buf = XDR_INLINE(xdrs, 3 * BYTES_PER_XDR_UNIT);
280  if (buf == NULL) {
281  if (!xdr_u_int32_t(xdrs, &objp->prog)) {
282  return (FALSE);
283  }
284  if (!xdr_u_int32_t(xdrs, &objp->vers)) {
285  return (FALSE);
286  }
287  if (!xdr_u_int32_t(xdrs, &objp->proc)) {
288  return (FALSE);
289  }
290  } else {
291  IXDR_PUT_U_INT32(buf, objp->prog);
292  IXDR_PUT_U_INT32(buf, objp->vers);
293  IXDR_PUT_U_INT32(buf, objp->proc);
294  }
295 
296  /*
297  * All the jugglery for just getting the size of the arguments
298  */
299  lenposition = XDR_GETPOS(xdrs);
300  if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
301  return (FALSE);
302  }
303  argposition = XDR_GETPOS(xdrs);
304  if (! (*objp->xdr_args)(xdrs, objp->args.args_val)) {
305  return (FALSE);
306  }
307  position = XDR_GETPOS(xdrs);
308  objp->args.args_len = (u_int)((u_long)position - (u_long)argposition);
309  XDR_SETPOS(xdrs, lenposition);
310  if (! xdr_u_int(xdrs, &(objp->args.args_len))) {
311  return (FALSE);
312  }
313  XDR_SETPOS(xdrs, position);
314  return (TRUE);
315 }
316 
317 /*
318  * XDR remote call results
319  * written for XDR_DECODE direction only
320  */
321 bool_t
322 xdr_rpcb_rmtcallres(xdrs, p)
323  XDR *xdrs;
324  struct rpcb_rmtcallres *p;
325 {
326  bool_t dummy;
327  struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
328 
329 #ifdef __REACTOS__ // CVE-2017-8779
330  if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
331 #else
332  if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
333 #endif
334  return (FALSE);
335  }
336  if (!xdr_u_int(xdrs, &objp->results.results_len)) {
337  return (FALSE);
338  }
339  dummy = (*(objp->xdr_res))(xdrs, objp->results.results_val);
340  return (dummy);
341 }
342 
343 bool_t
344 xdr_netbuf(xdrs, objp)
345  XDR *xdrs;
346  struct netbuf *objp;
347 {
348  bool_t dummy;
349 
350  if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
351  return (FALSE);
352  }
353 #ifdef __REACTOS__ // CVE-2017-8779
354 
355  if (objp->maxlen > RPC_MAXDATASIZE) {
356  return (FALSE);
357  }
358 
359 #endif
360  dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
361  (u_int *)&(objp->len), objp->maxlen);
362  return (dummy);
363 }
rpcb_entry_list
Definition: rpcb_prot.h:326
r_rpcb_rmtcallargs::prog
rpcprog_t prog
Definition: rpcb_prot.h:253
XDR_GETPOS
#define XDR_GETPOS(xdrs)
Definition: xdr.h:199
u_long
unsigned long u_long
Definition: linux.h:269
xdr_reference
bool_t xdr_reference(XDR *xdrs, caddr_t *pp, u_int size, xdrproc_t proc)
Definition: xdr_reference.c:62
rpcb_prot.h
bool_t
int32_t bool_t
Definition: types.h:101
TRUE
#define TRUE
Definition: types.h:120
xdr_rpcblist_ptr
bool_t xdr_rpcblist_ptr(XDR *xdrs, rpcblist_ptr *rp)
Definition: rpcb_prot.c:108
r_rpcb_rmtcallargs::vers
rpcvers_t vers
Definition: rpcb_prot.h:254
xdr_string
bool_t xdr_string(XDR *xdrs, char **cpp, u_int maxsize)
Definition: xdr.c:678
netbuf::buf
void * buf
Definition: types.h:147
r_rpcb_rmtcallres::xdr_res
xdrproc_t xdr_res
Definition: rpcb_prot.h:295
rpcb::r_netid
char * r_netid
Definition: rpcb_prot.h:143
xdr_netbuf
bool_t xdr_netbuf(XDR *xdrs, struct netbuf *objp)
Definition: rpcb_prot.c:344
caddr_t
char * caddr_t
Definition: rosdhcp.h:36
__rpc_xdr
Definition: xdr.h:103
r_rpcb_rmtcallres
Definition: rpcb_prot.h:289
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
xdrproc_t
bool_t(* xdrproc_t)(XDR *,...)
Definition: xdr.h:144
FALSE
#define FALSE
Definition: types.h:117
rpcb_rmtcallargs
Definition: rpcb_prot.h:221
rp__list
Definition: rpcb_prot.h:172
xdr_u_int
bool_t xdr_u_int(XDR *xdrs, u_int *up)
Definition: xdr.c:133
rpcb::r_prog
rpcprog_t r_prog
Definition: rpcb_prot.h:141
xdr_rpcb_entry_list_ptr
bool_t xdr_rpcb_entry_list_ptr(XDR *xdrs, rpcb_entry_list_ptr *rp)
Definition: rpcb_prot.c:215
IXDR_PUT_U_INT32
#define IXDR_PUT_U_INT32(buf, v)
Definition: rpcb_prot.h:21
r_rpcb_rmtcallargs::proc
rpcproc_t proc
Definition: rpcb_prot.h:255
r_rpcb_rmtcallres::addr
char * addr
Definition: rpcb_prot.h:290
rpcb_entry::r_nc_proto
char * r_nc_proto
Definition: rpcb_prot.h:310
xdr_rpcb_rmtcallres
bool_t xdr_rpcb_rmtcallres(XDR *xdrs, struct rpcb_rmtcallres *p)
Definition: rpcb_prot.c:322
rpcb::r_addr
char * r_addr
Definition: rpcb_prot.h:144
r_rpcb_rmtcallargs::xdr_args
xdrproc_t xdr_args
Definition: rpcb_prot.h:260
__rpc_xdr::x_op
enum xdr_op x_op
Definition: xdr.h:104
rpcb::r_owner
char * r_owner
Definition: rpcb_prot.h:145
netbuf::maxlen
unsigned int maxlen
Definition: types.h:145
xdr_rpcb_rmtcallargs
bool_t xdr_rpcb_rmtcallargs(XDR *xdrs, struct rpcb_rmtcallargs *p)
Definition: rpcb_prot.c:270
netbuf::len
unsigned int len
Definition: types.h:146
rpcb::r_vers
rpcvers_t r_vers
Definition: rpcb_prot.h:142
r_rpcb_rmtcallargs::args
struct r_rpcb_rmtcallargs::@196 args
u_int32_t
unsigned int u_int32_t
Definition: rosdhcp.h:35
rpcb_entry::r_nc_protofmly
char * r_nc_protofmly
Definition: rpcb_prot.h:309
XDR_INLINE
#define XDR_INLINE(xdrs, len)
Definition: xdr.h:209
rpcb_rmtcallres
Definition: rpcb_prot.h:268
r_rpcb_rmtcallres::results
struct r_rpcb_rmtcallres::@198 results
int32_t
INT32 int32_t
Definition: types.h:71
xdr_rpcblist
bool_t xdr_rpcblist(XDR *xdrs, RPCBLIST **rp)
Definition: rpcb_prot.c:162
XDR_SETPOS
#define XDR_SETPOS(xdrs, pos)
Definition: xdr.h:204
next
static unsigned __int64 next
Definition: rand_nt.c:6
rpcb_entry::r_nc_semantics
u_int r_nc_semantics
Definition: rpcb_prot.h:308
xdr_u_int32_t
bool_t xdr_u_int32_t(XDR *xdrs, u_int32_t *u_int32_p)
Definition: xdr.c:239
u_int
UINT32 u_int
Definition: types.h:82
dummy
unsigned char dummy
Definition: maze.c:118
r_rpcb_rmtcallargs
Definition: rpcb_prot.h:252
xdr_bool
bool_t xdr_bool(XDR *xdrs, bool_t *bp)
Definition: xdr.c:428
xdr_rpcb
bool_t xdr_rpcb(XDR *xdrs, RPCB *objp)
Definition: rpcb_prot.c:50
NULL
#define NULL
Definition: types.h:112
rpcb_entry::r_nc_netid
char * r_nc_netid
Definition: rpcb_prot.h:307
netbuf
Definition: types.h:144
XDR_FREE
Definition: xdr.h:87
RPC_MAXDATASIZE
#define RPC_MAXDATASIZE
Definition: rpc_com.h:51
xdr_rpcb_entry
bool_t xdr_rpcb_entry(XDR *xdrs, rpcb_entry *objp)
Definition: rpcb_prot.c:174
rpcb_entry::r_maddr
char * r_maddr
Definition: rpcb_prot.h:306
xdr_bytes
bool_t xdr_bytes(XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize)
Definition: xdr.c:536
rpcb_entry
Definition: rpcb_prot.h:305
p
GLfloat GLfloat p
Definition: glext.h:8902
BYTES_PER_XDR_UNIT
#define BYTES_PER_XDR_UNIT
Definition: xdr.h:93