netbsd-bugs: bin/13237: rpcbind dumps core in addrmerge()

Subject: bin/13237: rpcbind dumps core in addrmerge()
To: None <gnats-bugs@gnats.netbsd.org>
From: Manuel Bouyer <Manuel.Bouyer@asim.lip6.fr>
List: netbsd-bugs
Date: 06/18/2001 14:45:54

>Number:         13237
>Category:       bin
>Synopsis:       rpcbind dumps core in addrmerge()
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 18 05:44:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Manuel Bouyer
>Release:        1.5.1
>Organization:
	LIP6, Universite Paris VI
>Environment:

System: NetBSD asim.lip6.fr 1.5+vlan NetBSD 1.5+vlan (ASIM) #1: Fri Feb 2 17:31:06 MET 2001 bouyer@antigua.lip6.fr:/home/NetBSD-1.5+vlan/src/sys/arch/i386/compile/ASIM i386

libc is from 1.5, rpcbind compiled from 1.5.1 sources

>Description:
	This machine is a server which exports some filesystems to linux
	and Solaris NFS clients (with nfs locking, as it exports /var/mail). It
	has been running happilly for more than 6 months. This week-end rpcbind
	started dumping core without apparent reasons. I recompiled rpcbind
	from 1.5.1 sources, but this didn't solve the problem.
	Looking at the core dump with gdb showed that taddr2uaddr() was called
	with an uninitialised tbuf in addrmerge().
>How-To-Repeat:
	I don't know how to reproduce it. I found the uninitialised variable
	to be the problem but I can't explain why I've not been hit before
	by this. As tbuf is allocated on stack maybe it contains sensible
	data in the general case (maybe left from a previous call to
	addrmerge() which found the proper interface).
	I've other servers with runs the same code on which the problem didn't
	show up yet. The difference is that this server isn't on the same
	subnet as the clients.
>Fix:
	The patch below solves the problem for me, but I'm not sure at all
	it's rigth for all cases.

	
--- util.c.orig	Mon Jun 18 14:31:37 2001
+++ util.c	Mon Jun 18 12:22:47 2001
@@ -279,6 +279,14 @@
 			bestif = ifap;
 	}
 	ifap = bestif;
+	/* servsin should have been initialised in the 'case' */
+	newsin = (struct sockaddr_in *)&ss;
+	memcpy(newsin, ifap->ifa_addr,
+	    clnt_sa->sa_len);
+	newsin->sin_port = servsin->sin_port;
+	tbuf.len = clnt_sa->sa_len;
+	tbuf.maxlen = sizeof (struct sockaddr_storage);
+	tbuf.buf = newsin;
 found:
 	if (ifap != NULL)
 		ret = taddr2uaddr(nconf, &tbuf);
>Release-Note:
>Audit-Trail:
>Unformatted: