NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lib/44132: libc/rpc may overwrite not-allocated memory
>Number: 44132
>Category: lib
>Synopsis: libc/rpc may overwrite not-allocated memory
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Nov 23 09:35:00 +0000 2010
>Originator: Wolfgang Stukenbrock
>Release: NetBSD 5.0.2
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD test-s1 5.0.2 NetBSD 5.0.2 (NSW-S011) #12: Thu Nov 11 11:29:19
CET 2010
wgstuken@s012:/export/NetBSD-5.0.2/N+C-build/.OBJDIR_amd64/export/NetBSD-5.0.2/src/sys/arch/amd64/compile/NSW-S011
amd64
Architecture: x86_64
Machine: amd64
>Description:
In /usr/src/lib/libc/rpc/xdr_rec.c there is a routine called
realloc_stream(), that is used
to adjust the recieve buffer if the next record does not fit into the
current buffer.
This routine returns TRUE on success and FALSE on error.
This routine is used only by __xdrrec_getrec() in the same file, but
the return value is ignored.
So in the (very rare) case, that the realloc does not succeed, the
resulting buffer is to small.
Next the readit() function-pointer is called for the "rest of the
packet" and in the TCP-case
(read_vc() from clnt_vc.c) this routine will fill the buffer as
requested.
But the buffer is smaller and memory curruption occurs.
remark: I haven't added line numbers, because realloc_stream() is a
static routine and only called
once and it should be possible to locate it in the source file.
>How-To-Repeat:
Problem found by a look into the sources.
>Fix:
Return an error if realloc() fails.
I'm not realy confirmed with the internals of the rpc-lib.
So I do not know what kind of error should be returned from
__xdrrec_getrec() in that case.
The routine should return FALSE if realloc_stream() failed, but I'm not
shure about the
correct value for *statp.
Sorry.
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index