new file mode 100644

@@ -0,0 +1,255 @@

+diff --git a/src/rpc_generic.c b/src/rpc_generic.c

+index 2f09a8f..589cbd5 100644

+--- a/src/rpc_generic.c

+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)

+ 

+ 	switch (af) {

+ 	case AF_INET:

++		if (nbuf->len < sizeof(*sin)) {

++			return NULL;

++		}

+ 		sin = nbuf->buf;

+ 		if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)

+ 		    == NULL)

+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)

+ 		break;

+ #ifdef INET6

+ 	case AF_INET6:

++		if (nbuf->len < sizeof(*sin6)) {

++			return NULL;

++		}

+ 		sin6 = nbuf->buf;

+ 		if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)

+ 		    == NULL)

+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)

+ 

+ 	port = 0;

+ 	sin = NULL;

++	if (uaddr == NULL)

++		return NULL;

+ 	addrstr = strdup(uaddr);

+ 	if (addrstr == NULL)

+ 		return NULL;

+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c

+index 43fd385..a923c8e 100644

+--- a/src/rpcb_prot.c

+@@ -41,6 +41,7 @@

+ #include <rpc/types.h>

+ #include <rpc/xdr.h>

+ #include <rpc/rpcb_prot.h>

++#include "rpc_com.h"

+ 

+ bool_t

+ xdr_rpcb(xdrs, objp)

+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)

+ 	if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	return (TRUE);

+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)

+ 	XDR *xdrs;

+ 	rpcb_entry *objp;

+ {

+-	if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	return (TRUE);

+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)

+ 	bool_t dummy;

+ 	struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;

+ 

+-	if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	if (!xdr_u_int(xdrs, &objp->results.results_len)) {

+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)

+ 	if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {

+ 		return (FALSE);

+ 	}

++

++	if (objp->maxlen > RPC_MAXDATASIZE) {

++		return (FALSE);

++	}

++

+ 	dummy = xdr_bytes(xdrs, (char **)&(objp->buf),

+ 			(u_int *)&(objp->len), objp->maxlen);

+ 	return (dummy);

+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c

+index 08db745..28e6a48 100644

+--- a/src/rpcb_st_xdr.c

+@@ -37,6 +37,7 @@

+ 

+ 

+ #include <rpc/rpc.h>

++#include "rpc_com.h"

+ 

+ /* Link list of all the stats about getport and getaddr */

+ 

+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)

+ 	    if (!xdr_int(xdrs, &objp->failure)) {

+ 		return (FALSE);

+ 	    }

+-	    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {

++	    if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	    }

+ 

+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)

+ 		IXDR_PUT_INT32(buf, objp->failure);

+ 		IXDR_PUT_INT32(buf, objp->indirect);

+ 	}

+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,

+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)

+ 		objp->failure = (int)IXDR_GET_INT32(buf);

+ 		objp->indirect = (int)IXDR_GET_INT32(buf);

+ 	}

+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,

+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)

+ 	if (!xdr_int(xdrs, &objp->indirect)) {

+ 		return (FALSE);

+ 	}

+-	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {

++	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {

+ 		return (FALSE);

+ 	}

+ 	if (!xdr_pointer(xdrs, (char **)&objp->next,

+diff --git a/src/xdr.c b/src/xdr.c

+index f3fb9ad..b9a1558 100644

+--- a/src/xdr.c

+@@ -42,8 +42,10 @@

+ #include <stdlib.h>

+ #include <string.h>

+ 

++#include <rpc/rpc.h>

+ #include <rpc/types.h>

+ #include <rpc/xdr.h>

++#include <rpc/rpc_com.h>

+ 

+ typedef quad_t          longlong_t;     /* ANSI long long type */

+ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */

+@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */

+  */

+ #define XDR_FALSE	((long) 0)

+ #define XDR_TRUE	((long) 1)

+-#define LASTUNSIGNED	((u_int) 0-1)

+ 

+ /*

+  * for unit alignment

+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)

+ {

+ 	char *sp = *cpp;  /* sp is the actual string pointer */

+ 	u_int nodesize;

++	bool_t ret, allocated = FALSE;

+ 

+ 	/*

+ 	 * first deal with the length since xdr bytes are counted

+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)

+ 		}

+ 		if (sp == NULL) {

+ 			*cpp = sp = mem_alloc(nodesize);

++			allocated = TRUE;

+ 		}

+ 		if (sp == NULL) {

+ 			warnx("xdr_bytes: out of memory");

+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)

+ 		/* FALLTHROUGH */

+ 

+ 	case XDR_ENCODE:

+-		return (xdr_opaque(xdrs, sp, nodesize));

++		ret = xdr_opaque(xdrs, sp, nodesize);

++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {

++			if (allocated == TRUE) {

++				free(sp);

++				*cpp = NULL;

++			}

++		}

++		return (ret);

+ 

+ 	case XDR_FREE:

+ 		if (sp != NULL) {

+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)

+ 	char *sp = *cpp;  /* sp is the actual string pointer */

+ 	u_int size;

+ 	u_int nodesize;

++	bool_t ret, allocated = FALSE;

+ 

+ 	/*

+ 	 * first deal with the length since xdr strings are counted-strings

+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)

+ 	switch (xdrs->x_op) {

+ 

+ 	case XDR_DECODE:

+-		if (sp == NULL)

++		if (sp == NULL) {

+ 			*cpp = sp = mem_alloc(nodesize);

++			allocated = TRUE;

++		}

+ 		if (sp == NULL) {

+ 			warnx("xdr_string: out of memory");

+ 			return (FALSE);

+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)

+ 		/* FALLTHROUGH */

+ 

+ 	case XDR_ENCODE:

+-		return (xdr_opaque(xdrs, sp, size));

++		ret = xdr_opaque(xdrs, sp, size);

++		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {

++			if (allocated == TRUE) {

++				free(sp);

++				*cpp = NULL;

++			}

++		}

++		return (ret);

+ 

+ 	case XDR_FREE:

+ 		mem_free(sp, nodesize);

+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)

+ 	XDR *xdrs;

+ 	char **cpp;

+ {

+-	return xdr_string(xdrs, cpp, LASTUNSIGNED);

++	return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);

+ }

+ 

+ /*

@@ -1,10 +1,11 @@

 Summary:	Libraries for Transport Independent RPC

 Name:		libtirpc

 Version:	1.0.1

-Release:	3%{?dist}

+Release:	4%{?dist}

 Source0:	http://downloads.sourceforge.net/project/libtirpc/libtirpc/0.3.2/%{name}-%{version}.tar.bz2

 %define sha1 libtirpc=8da1636f98b5909c0d587e7534bc1e91f5c1a970

 Patch0:         libtirpc-1.0.1-bindrsvport-blacklist.patch

+Patch1:         libtirpc-CVE-2017-8779.patch

 License:	BSD

 Group:		System Environment/Libraries

 URL:		http://nfsv4.bullopensource.org/

@@ -37,6 +38,7 @@ This package includes header files and libraries necessary for developing progra

 %prep

 %setup -q

 %patch0

+%patch1 -p1

 %build

 ./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}

@@ -67,6 +69,8 @@ make install DESTDIR=%{buildroot}

 %changelog

+*	Thu May 18 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.0.1-4

+-	Fix CVE-2017-8779

 *	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.1-3

 -	GA - Bump release of all rpms

 * 	Mon Feb 08 2016 Anish Swaminathan <anishs@vmware.com>  1.0.1-2

new file mode 100644

@@ -0,0 +1,21 @@

+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c

+index 5862c26..e11f61b 100644

+--- a/src/rpcb_svc_com.c

+@@ -48,6 +48,7 @@

+ #include <rpc/rpc.h>

+ #include <rpc/rpcb_prot.h>

+ #include <rpc/svc_dg.h>

++#include <rpc/rpc_com.h>

+ #include <netconfig.h>

+ #include <errno.h>

+ #include <syslog.h>

+@@ -432,7 +433,7 @@ rpcbproc_taddr2uaddr_com(void *arg, struct svc_req *rqstp /*__unused*/,

+ static bool_t

+ xdr_encap_parms(XDR *xdrs, struct encap_parms *epp)

+ {

+-	return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), ~0));

++	return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), RPC_MAXDATASIZE));

+ }

+ 

+ /*

@@ -1,30 +1,35 @@

-Summary:	RPC program number mapper

-Name:		rpcbind

-Version:	0.2.3

-Release:	7%{?dist}

-License:	BSD

-URL:		http://nfsv4.bullopensource.org

-Group:	    Applications/Daemons

-Source0:    http://downloads.sourceforge.net/rpcbind/%{name}-%{version}.tar.bz2

+Summary:        RPC program number mapper

+Name:           rpcbind

+Version:        0.2.3

+Release:        8%{?dist}

+License:        BSD

+URL:            http://nfsv4.bullopensource.org

+Group:          Applications/Daemons

+Source0:        http://downloads.sourceforge.net/rpcbind/%{name}-%{version}.tar.bz2

 %define sha1 rpcbind=e79974a99d09b6d6fff9d86bf00225dc33723ce2

-Source1:    rpcbind.service

-Source2:    rpcbind.socket

-Source3:    rpcbind.sysconfig

-Patch0:     http://www.linuxfromscratch.org/patches/blfs/svn/rpcbind-0.2.3-tirpc_fix-1.patch

-Vendor:     VMware, Inc.

+Source1:        rpcbind.service

+Source2:        rpcbind.socket

+Source3:        rpcbind.sysconfig

+Patch0:         http://www.linuxfromscratch.org/patches/blfs/svn/rpcbind-0.2.3-tirpc_fix-1.patch

+Patch1:         rpcbind-CVE-2017-8779.patch

+Vendor:         VMware, Inc.

 Distribution:   Photon

-BuildRequires:	libtirpc-devel

+BuildRequires:  libtirpc-devel

 BuildRequires:  systemd

 Requires:       libtirpc

 Requires:       systemd

 Requires(pre):  shadow

 Requires(preun):shadow

 Requires(post): coreutils

+

 %description

 The rpcbind program is a replacement for portmap. It is required for import or export of Network File System (NFS) shared directories. The rpcbind utility is a server that converts RPC program numbers into universal addresses

+

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

+

 %build

 sed -i "/servname/s:rpcbind:sunrpc:" src/rpcbind.c

 ./configure --prefix=%{_prefix}      \

@@ -34,6 +39,7 @@ sed -i "/servname/s:rpcbind:sunrpc:" src/rpcbind.c

             --with-statedir=%{_localstatedir}/lib/rpcbind \

             --with-rpcuser=rpc

 make

+

 %install

 make DESTDIR=%{buildroot} install

 mkdir -p %{buildroot}%{_localstatedir}/lib/rpcbind

@@ -58,7 +64,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 rpcid=`getent passwd rpc | cut -d: -f 3`

 if [ -n "$rpcid" -a "$rpcid" != "31" ]; then

 	userdel  rpc 2> /dev/null || :

-	groupdel rpc 2> /dev/null || : 

+	groupdel rpc 2> /dev/null || :

 fi

 if [ -z "$rpcid" -o "$rpcid" != "31" ]; then

 	groupadd -g 31 rpc > /dev/null 2>&1

@@ -84,7 +90,10 @@ fi

 %clean

 rm -rf %{buildroot}/*

+

 %changelog

+*	Thu May 18 2017 Vinay Kulkarni <kulkarniv@vmware.com> 0.2.3-8

+-	Fix CVE-2017-8779

 *	Fri May 05 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.2.3-7

 -	add shadow and coreutils to requires

 *	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.2.3-6