http://www.spinics.net/lists/linux-nfs/msg53045.html

We have seen occasional reports of a commercial security scanner 
triggering crashes in rpcbind, but these were fairly elusive.

Now we finally got a usable core file showing that rpcbind crashed in 
svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer. 
Closer inspection suggested that the pointer variable actually 
contained a sockaddr_in.

Here's how I think the memory corruption happens:

 - A PMAP_CALLIT call comes in on IPv4 UDP

 - rpcbind duplicates the caller's address to a netbuf and stores
	it in FINFO[0].caller_addr. caller_addr->buf now points to a
    memory region A with a size of 16 bytes

 - rpcbind forwards the call to the local service, receives a reply

 - when processing the reply, it does this in xprt_set_caller:
     xprt->xp_rtaddr = *FINFO[0].caller_addr
   where xprt is the UDP transport on which it received the
   PMAP_CALLIT request.

   It sends out the reply, and then frees the netbuf caller_addr and
   caller_addr.buf.
   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
   to memory region A, which is free.

 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv
   will be called, which will set xp_rtaddr to the client's address.
   It will reuse the buffer inside xp_rtaddr, ie it will write a
   sockaddr_in to region A.

So, this explains how memory gets corrupted. Here's why that 
eventually lead to a crash in svc_dodestroy.

Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT

 - While processing the TCP call, another UDP call comes in, again
   overwriting region A with the client's address

 - TCP client closes connection. In svc_destroy, we now trip over
   the garbage left in region A

The fix seems to be to make xprt_set_caller copy the caller's address 
to xprt->xp_rtaddr using __rpc_set_netbuf rather than just overwrite 
the netbuf.

Signed-off-by: Olaf Kirch <okir@xxxxxxx>