[arch-commits] Commit in libtirpc/repos (8 files)

Fri May 5 18:22:07 UTC 2017

Date: Friday, May 5, 2017 @ 18:22:07
  Author: andyrtr
Revision: 295330

archrelease: copy trunk to testing-i686, testing-x86_64

Added:
  libtirpc/repos/testing-i686/
  libtirpc/repos/testing-i686/CVE-2017-8779.diff
    (from rev 295329, libtirpc/trunk/CVE-2017-8779.diff)
  libtirpc/repos/testing-i686/PKGBUILD
    (from rev 295329, libtirpc/trunk/PKGBUILD)
  libtirpc/repos/testing-i686/add_missing_rwlock_unlocks_in_xprt_register.diff
    (from rev 295329, libtirpc/trunk/add_missing_rwlock_unlocks_in_xprt_register.diff)
  libtirpc/repos/testing-x86_64/
  libtirpc/repos/testing-x86_64/CVE-2017-8779.diff
    (from rev 295329, libtirpc/trunk/CVE-2017-8779.diff)
  libtirpc/repos/testing-x86_64/PKGBUILD
    (from rev 295329, libtirpc/trunk/PKGBUILD)
  libtirpc/repos/testing-x86_64/add_missing_rwlock_unlocks_in_xprt_register.diff
    (from rev 295329, libtirpc/trunk/add_missing_rwlock_unlocks_in_xprt_register.diff)

-----------------------------------------------------------------+
 testing-i686/CVE-2017-8779.diff                                 |  255 ++++++++++
 testing-i686/PKGBUILD                                           |   40 +
 testing-i686/add_missing_rwlock_unlocks_in_xprt_register.diff   |   61 ++
 testing-x86_64/CVE-2017-8779.diff                               |  255 ++++++++++
 testing-x86_64/PKGBUILD                                         |   40 +
 testing-x86_64/add_missing_rwlock_unlocks_in_xprt_register.diff |   61 ++
 6 files changed, 712 insertions(+)

Copied: libtirpc/repos/testing-i686/CVE-2017-8779.diff (from rev 295329, libtirpc/trunk/CVE-2017-8779.diff)
===================================================================

--- testing-i686/CVE-2017-8779.diff	                        (rev 0)
+++ testing-i686/CVE-2017-8779.diff	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,255 @@
+diff --git a/src/rpc_generic.c b/src/rpc_generic.c
+index 2f09a8f..589cbd5 100644
+--- a/src/rpc_generic.c
++++ b/src/rpc_generic.c
+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 
+ 	switch (af) {
+ 	case AF_INET:
++		if (nbuf->len < sizeof(*sin)) {
++			return NULL;
++		}
+ 		sin = nbuf->buf;
+ 		if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
+ 		    == NULL)
+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 		break;
+ #ifdef INET6
+ 	case AF_INET6:
++		if (nbuf->len < sizeof(*sin6)) {
++			return NULL;
++		}
+ 		sin6 = nbuf->buf;
+ 		if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
+ 		    == NULL)
+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
+ 
+ 	port = 0;
+ 	sin = NULL;
++	if (uaddr == NULL)
++		return NULL;
+ 	addrstr = strdup(uaddr);
+ 	if (addrstr == NULL)
+ 		return NULL;
+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
+index 43fd385..a923c8e 100644
+--- a/src/rpcb_prot.c
++++ b/src/rpcb_prot.c
+@@ -41,6 +41,7 @@
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+ #include <rpc/rpcb_prot.h>
++#include "rpc_com.h"
+ 
+ bool_t
+ xdr_rpcb(xdrs, objp)
+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
+ 	if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	return (TRUE);
+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
+ 	XDR *xdrs;
+ 	rpcb_entry *objp;
+ {
+-	if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	return (TRUE);
+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
+ 	bool_t dummy;
+ 	struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+ 
+-	if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_u_int(xdrs, &objp->results.results_len)) {
+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
+ 	if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
+ 		return (FALSE);
+ 	}
++
++	if (objp->maxlen > RPC_MAXDATASIZE) {
++		return (FALSE);
++	}
++
+ 	dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
+ 			(u_int *)&(objp->len), objp->maxlen);
+ 	return (dummy);
+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
+index 08db745..28e6a48 100644
+--- a/src/rpcb_st_xdr.c
++++ b/src/rpcb_st_xdr.c
+@@ -37,6 +37,7 @@
+ 
+ 
+ #include <rpc/rpc.h>
++#include "rpc_com.h"
+ 
+ /* Link list of all the stats about getport and getaddr */
+ 
+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
+ 	    if (!xdr_int(xdrs, &objp->failure)) {
+ 		return (FALSE);
+ 	    }
+-	    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	    if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	    }
+ 
+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 		IXDR_PUT_INT32(buf, objp->failure);
+ 		IXDR_PUT_INT32(buf, objp->indirect);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 		objp->failure = (int)IXDR_GET_INT32(buf);
+ 		objp->indirect = (int)IXDR_GET_INT32(buf);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 	if (!xdr_int(xdrs, &objp->indirect)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+diff --git a/src/xdr.c b/src/xdr.c
+index f3fb9ad..b9a1558 100644
+--- a/src/xdr.c
++++ b/src/xdr.c
+@@ -42,8 +42,10 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <rpc/rpc.h>
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
++#include <rpc/rpc_com.h>
+ 
+ typedef quad_t          longlong_t;     /* ANSI long long type */
+ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+  */
+ #define XDR_FALSE	((long) 0)
+ #define XDR_TRUE	((long) 1)
+-#define LASTUNSIGNED	((u_int) 0-1)
+ 
+ /*
+  * for unit alignment
+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ {
+ 	char *sp = *cpp;  /* sp is the actual string pointer */
+ 	u_int nodesize;
++	bool_t ret, allocated = FALSE;
+ 
+ 	/*
+ 	 * first deal with the length since xdr bytes are counted
+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ 		}
+ 		if (sp == NULL) {
+ 			*cpp = sp = mem_alloc(nodesize);
++			allocated = TRUE;
+ 		}
+ 		if (sp == NULL) {
+ 			warnx("xdr_bytes: out of memory");
+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ 		/* FALLTHROUGH */
+ 
+ 	case XDR_ENCODE:
+-		return (xdr_opaque(xdrs, sp, nodesize));
++		ret = xdr_opaque(xdrs, sp, nodesize);
++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++			if (allocated == TRUE) {
++				free(sp);
++				*cpp = NULL;
++			}
++		}
++		return (ret);
+ 
+ 	case XDR_FREE:
+ 		if (sp != NULL) {
+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
+ 	char *sp = *cpp;  /* sp is the actual string pointer */
+ 	u_int size;
+ 	u_int nodesize;
++	bool_t ret, allocated = FALSE;
+ 
+ 	/*
+ 	 * first deal with the length since xdr strings are counted-strings
+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
+ 	switch (xdrs->x_op) {
+ 
+ 	case XDR_DECODE:
+-		if (sp == NULL)
++		if (sp == NULL) {
+ 			*cpp = sp = mem_alloc(nodesize);
++			allocated = TRUE;
++		}
+ 		if (sp == NULL) {
+ 			warnx("xdr_string: out of memory");
+ 			return (FALSE);
+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
+ 		/* FALLTHROUGH */
+ 
+ 	case XDR_ENCODE:
+-		return (xdr_opaque(xdrs, sp, size));
++		ret = xdr_opaque(xdrs, sp, size);
++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++			if (allocated == TRUE) {
++				free(sp);
++				*cpp = NULL;
++			}
++		}
++		return (ret);
+ 
+ 	case XDR_FREE:
+ 		mem_free(sp, nodesize);
+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
+ 	XDR *xdrs;
+ 	char **cpp;
+ {
+-	return xdr_string(xdrs, cpp, LASTUNSIGNED);
++	return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+ }
+ 
+ /*

Copied: libtirpc/repos/testing-i686/PKGBUILD (from rev 295329, libtirpc/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD	                        (rev 0)
+++ testing-i686/PKGBUILD	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,40 @@
+# $Id$
+# Maintainer: Tom Gundersen <teg at jklm.no>
+# Contributor: Tobias Powalowski <tpowa at archlinux.org>
+
+pkgname=libtirpc
+pkgver=1.0.1
+pkgrel=3
+pkgdesc="Transport Independent RPC library (SunRPC replacement)"
+arch=('i686' 'x86_64')
+url="http://libtirpc.sourceforge.net/"
+license=('BSD')
+depends=('krb5')
+backup=('etc/netconfig')
+# git tree: git://linux-nfs.org/~steved/libtirpc
+source=(http://downloads.sourceforge.net/sourceforge/libtirpc/${pkgname}-${pkgver}.tar.bz2
+        add_missing_rwlock_unlocks_in_xprt_register.diff
+        CVE-2017-8779.diff)
+sha1sums=('8da1636f98b5909c0d587e7534bc1e91f5c1a970'
+          'c451b0eb527098c0d9e308e4978866b7aaaf688e'
+          '0220d75a0caceb28f0c413d19239b52abdc00b2e')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+  # upstream post release fix to properly work with rpcbind
+  patch -Np1 -i ../add_missing_rwlock_unlocks_in_xprt_register.diff
+  # http://seclists.org/oss-sec/2017/q2/209
+  patch -Np1 -i ../CVE-2017-8779.diff
+}
+
+build() {
+  cd ${pkgname}-${pkgver}
+  ./configure --prefix=/usr --sysconf=/etc
+  make
+}
+
+package() {
+  cd ${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  install -D -m644 COPYING "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+}

Copied: libtirpc/repos/testing-i686/add_missing_rwlock_unlocks_in_xprt_register.diff (from rev 295329, libtirpc/trunk/add_missing_rwlock_unlocks_in_xprt_register.diff)
===================================================================
--- testing-i686/add_missing_rwlock_unlocks_in_xprt_register.diff	                        (rev 0)
+++ testing-i686/add_missing_rwlock_unlocks_in_xprt_register.diff	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,61 @@
+From 4f1503e84b2f7bd229a097335e52fb8203f5bb0b Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney at mforney.org>
+Date: Wed, 4 Nov 2015 13:58:06 -0500
+Subject: [PATCH] Add missing rwlock_unlocks in xprt_register
+
+It looks like in b2c9430f46c4ac848957fb8adaac176a3f6ac03f when svc_run
+switched to poll, an early return was added, but the rwlock was not
+unlocked.
+
+I observed that rpcbind built against libtirpc-1.0.1 would handle only
+one request before hanging, and tracked it down to a missing
+rwlock_unlock here.
+
+Fixes: b2c9430f46c4 ('Use poll() instead of select() in svc_run()')
+Signed-off-by: Michael Forney <mforney at mforney.org>
+Signed-off-by: Steve Dickson <steved at redhat.com>
+---
+ src/svc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/svc.c b/src/svc.c
+index 9c41445..b59467b 100644
+--- a/src/svc.c
++++ b/src/svc.c
+@@ -99,7 +99,7 @@ xprt_register (xprt)
+     {
+       __svc_xports = (SVCXPRT **) calloc (_rpc_dtablesize(), sizeof (SVCXPRT *));
+       if (__svc_xports == NULL)
+-	return;
++            goto unlock;
+     }
+   if (sock < _rpc_dtablesize())
+     {
+@@ -120,14 +120,14 @@ xprt_register (xprt)
+             svc_pollfd[i].fd = sock;
+             svc_pollfd[i].events = (POLLIN | POLLPRI |
+                                     POLLRDNORM | POLLRDBAND);
+-            return;
++            goto unlock;
+           }
+ 
+       new_svc_pollfd = (struct pollfd *) realloc (svc_pollfd,
+                                                   sizeof (struct pollfd)
+                                                   * (svc_max_pollfd + 1));
+       if (new_svc_pollfd == NULL) /* Out of memory */
+-        return;
++        goto unlock;
+       svc_pollfd = new_svc_pollfd;
+       ++svc_max_pollfd;
+ 
+@@ -135,6 +135,7 @@ xprt_register (xprt)
+       svc_pollfd[svc_max_pollfd - 1].events = (POLLIN | POLLPRI |
+                                                POLLRDNORM | POLLRDBAND);
+     }
++unlock:
+   rwlock_unlock (&svc_fd_lock);
+ }
+ 
+-- 
+1.8.2.1
+

Copied: libtirpc/repos/testing-x86_64/CVE-2017-8779.diff (from rev 295329, libtirpc/trunk/CVE-2017-8779.diff)
===================================================================
--- testing-x86_64/CVE-2017-8779.diff	                        (rev 0)
+++ testing-x86_64/CVE-2017-8779.diff	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,255 @@
+diff --git a/src/rpc_generic.c b/src/rpc_generic.c
+index 2f09a8f..589cbd5 100644
+--- a/src/rpc_generic.c
++++ b/src/rpc_generic.c
+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 
+ 	switch (af) {
+ 	case AF_INET:
++		if (nbuf->len < sizeof(*sin)) {
++			return NULL;
++		}
+ 		sin = nbuf->buf;
+ 		if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
+ 		    == NULL)
+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 		break;
+ #ifdef INET6
+ 	case AF_INET6:
++		if (nbuf->len < sizeof(*sin6)) {
++			return NULL;
++		}
+ 		sin6 = nbuf->buf;
+ 		if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
+ 		    == NULL)
+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
+ 
+ 	port = 0;
+ 	sin = NULL;
++	if (uaddr == NULL)
++		return NULL;
+ 	addrstr = strdup(uaddr);
+ 	if (addrstr == NULL)
+ 		return NULL;
+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
+index 43fd385..a923c8e 100644
+--- a/src/rpcb_prot.c
++++ b/src/rpcb_prot.c
+@@ -41,6 +41,7 @@
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+ #include <rpc/rpcb_prot.h>
++#include "rpc_com.h"
+ 
+ bool_t
+ xdr_rpcb(xdrs, objp)
+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
+ 	if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	return (TRUE);
+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
+ 	XDR *xdrs;
+ 	rpcb_entry *objp;
+ {
+-	if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	return (TRUE);
+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
+ 	bool_t dummy;
+ 	struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+ 
+-	if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_u_int(xdrs, &objp->results.results_len)) {
+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
+ 	if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
+ 		return (FALSE);
+ 	}
++
++	if (objp->maxlen > RPC_MAXDATASIZE) {
++		return (FALSE);
++	}
++
+ 	dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
+ 			(u_int *)&(objp->len), objp->maxlen);
+ 	return (dummy);
+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
+index 08db745..28e6a48 100644
+--- a/src/rpcb_st_xdr.c
++++ b/src/rpcb_st_xdr.c
+@@ -37,6 +37,7 @@
+ 
+ 
+ #include <rpc/rpc.h>
++#include "rpc_com.h"
+ 
+ /* Link list of all the stats about getport and getaddr */
+ 
+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
+ 	    if (!xdr_int(xdrs, &objp->failure)) {
+ 		return (FALSE);
+ 	    }
+-	    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	    if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	    }
+ 
+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 		IXDR_PUT_INT32(buf, objp->failure);
+ 		IXDR_PUT_INT32(buf, objp->indirect);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 		objp->failure = (int)IXDR_GET_INT32(buf);
+ 		objp->indirect = (int)IXDR_GET_INT32(buf);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ 	if (!xdr_int(xdrs, &objp->indirect)) {
+ 		return (FALSE);
+ 	}
+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ 		return (FALSE);
+ 	}
+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,
+diff --git a/src/xdr.c b/src/xdr.c
+index f3fb9ad..b9a1558 100644
+--- a/src/xdr.c
++++ b/src/xdr.c
+@@ -42,8 +42,10 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <rpc/rpc.h>
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
++#include <rpc/rpc_com.h>
+ 
+ typedef quad_t          longlong_t;     /* ANSI long long type */
+ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+  */
+ #define XDR_FALSE	((long) 0)
+ #define XDR_TRUE	((long) 1)
+-#define LASTUNSIGNED	((u_int) 0-1)
+ 
+ /*
+  * for unit alignment
+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ {
+ 	char *sp = *cpp;  /* sp is the actual string pointer */
+ 	u_int nodesize;
++	bool_t ret, allocated = FALSE;
+ 
+ 	/*
+ 	 * first deal with the length since xdr bytes are counted
+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ 		}
+ 		if (sp == NULL) {
+ 			*cpp = sp = mem_alloc(nodesize);
++			allocated = TRUE;
+ 		}
+ 		if (sp == NULL) {
+ 			warnx("xdr_bytes: out of memory");
+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ 		/* FALLTHROUGH */
+ 
+ 	case XDR_ENCODE:
+-		return (xdr_opaque(xdrs, sp, nodesize));
++		ret = xdr_opaque(xdrs, sp, nodesize);
++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++			if (allocated == TRUE) {
++				free(sp);
++				*cpp = NULL;
++			}
++		}
++		return (ret);
+ 
+ 	case XDR_FREE:
+ 		if (sp != NULL) {
+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
+ 	char *sp = *cpp;  /* sp is the actual string pointer */
+ 	u_int size;
+ 	u_int nodesize;
++	bool_t ret, allocated = FALSE;
+ 
+ 	/*
+ 	 * first deal with the length since xdr strings are counted-strings
+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
+ 	switch (xdrs->x_op) {
+ 
+ 	case XDR_DECODE:
+-		if (sp == NULL)
++		if (sp == NULL) {
+ 			*cpp = sp = mem_alloc(nodesize);
++			allocated = TRUE;
++		}
+ 		if (sp == NULL) {
+ 			warnx("xdr_string: out of memory");
+ 			return (FALSE);
+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
+ 		/* FALLTHROUGH */
+ 
+ 	case XDR_ENCODE:
+-		return (xdr_opaque(xdrs, sp, size));
++		ret = xdr_opaque(xdrs, sp, size);
++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++			if (allocated == TRUE) {
++				free(sp);
++				*cpp = NULL;
++			}
++		}
++		return (ret);
+ 
+ 	case XDR_FREE:
+ 		mem_free(sp, nodesize);
+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
+ 	XDR *xdrs;
+ 	char **cpp;
+ {
+-	return xdr_string(xdrs, cpp, LASTUNSIGNED);
++	return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+ }
+ 
+ /*

Copied: libtirpc/repos/testing-x86_64/PKGBUILD (from rev 295329, libtirpc/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD	                        (rev 0)
+++ testing-x86_64/PKGBUILD	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,40 @@
+# $Id$
+# Maintainer: Tom Gundersen <teg at jklm.no>
+# Contributor: Tobias Powalowski <tpowa at archlinux.org>
+
+pkgname=libtirpc
+pkgver=1.0.1
+pkgrel=3
+pkgdesc="Transport Independent RPC library (SunRPC replacement)"
+arch=('i686' 'x86_64')
+url="http://libtirpc.sourceforge.net/"
+license=('BSD')
+depends=('krb5')
+backup=('etc/netconfig')
+# git tree: git://linux-nfs.org/~steved/libtirpc
+source=(http://downloads.sourceforge.net/sourceforge/libtirpc/${pkgname}-${pkgver}.tar.bz2
+        add_missing_rwlock_unlocks_in_xprt_register.diff
+        CVE-2017-8779.diff)
+sha1sums=('8da1636f98b5909c0d587e7534bc1e91f5c1a970'
+          'c451b0eb527098c0d9e308e4978866b7aaaf688e'
+          '0220d75a0caceb28f0c413d19239b52abdc00b2e')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+  # upstream post release fix to properly work with rpcbind
+  patch -Np1 -i ../add_missing_rwlock_unlocks_in_xprt_register.diff
+  # http://seclists.org/oss-sec/2017/q2/209
+  patch -Np1 -i ../CVE-2017-8779.diff
+}
+
+build() {
+  cd ${pkgname}-${pkgver}
+  ./configure --prefix=/usr --sysconf=/etc
+  make
+}
+
+package() {
+  cd ${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  install -D -m644 COPYING "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+}

Copied: libtirpc/repos/testing-x86_64/add_missing_rwlock_unlocks_in_xprt_register.diff (from rev 295329, libtirpc/trunk/add_missing_rwlock_unlocks_in_xprt_register.diff)
===================================================================
--- testing-x86_64/add_missing_rwlock_unlocks_in_xprt_register.diff	                        (rev 0)
+++ testing-x86_64/add_missing_rwlock_unlocks_in_xprt_register.diff	2017-05-05 18:22:07 UTC (rev 295330)
@@ -0,0 +1,61 @@
+From 4f1503e84b2f7bd229a097335e52fb8203f5bb0b Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney at mforney.org>
+Date: Wed, 4 Nov 2015 13:58:06 -0500
+Subject: [PATCH] Add missing rwlock_unlocks in xprt_register
+
+It looks like in b2c9430f46c4ac848957fb8adaac176a3f6ac03f when svc_run
+switched to poll, an early return was added, but the rwlock was not
+unlocked.
+
+I observed that rpcbind built against libtirpc-1.0.1 would handle only
+one request before hanging, and tracked it down to a missing
+rwlock_unlock here.
+
+Fixes: b2c9430f46c4 ('Use poll() instead of select() in svc_run()')
+Signed-off-by: Michael Forney <mforney at mforney.org>
+Signed-off-by: Steve Dickson <steved at redhat.com>
+---
+ src/svc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/svc.c b/src/svc.c
+index 9c41445..b59467b 100644
+--- a/src/svc.c
++++ b/src/svc.c
+@@ -99,7 +99,7 @@ xprt_register (xprt)
+     {
+       __svc_xports = (SVCXPRT **) calloc (_rpc_dtablesize(), sizeof (SVCXPRT *));
+       if (__svc_xports == NULL)
+-	return;
++            goto unlock;
+     }
+   if (sock < _rpc_dtablesize())
+     {
+@@ -120,14 +120,14 @@ xprt_register (xprt)
+             svc_pollfd[i].fd = sock;
+             svc_pollfd[i].events = (POLLIN | POLLPRI |
+                                     POLLRDNORM | POLLRDBAND);
+-            return;
++            goto unlock;
+           }
+ 
+       new_svc_pollfd = (struct pollfd *) realloc (svc_pollfd,
+                                                   sizeof (struct pollfd)
+                                                   * (svc_max_pollfd + 1));
+       if (new_svc_pollfd == NULL) /* Out of memory */
+-        return;
++        goto unlock;
+       svc_pollfd = new_svc_pollfd;
+       ++svc_max_pollfd;
+ 
+@@ -135,6 +135,7 @@ xprt_register (xprt)
+       svc_pollfd[svc_max_pollfd - 1].events = (POLLIN | POLLPRI |
+                                                POLLRDNORM | POLLRDBAND);
+     }
++unlock:
+   rwlock_unlock (&svc_fd_lock);
+ }
+ 
+-- 
+1.8.2.1
+

