NetBSD Problem Report #13082

Received: (qmail 18834 invoked from network); 1 Jun 2001 16:27:57 -0000
Message-Id: <200106011620.f51GKCi24020@oban.imag.fr>
Date: Fri, 1 Jun 2001 18:20:12 +0200 (MEST)
From: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
Reply-To: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
To: gnats-bugs@gnats.netbsd.org
Subject: clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
X-Send-Pr-Version: 3.95

>Number:         13082
>Category:       lib
>Synopsis:       clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 01 16:28:00 +0000 2001
>Closed-Date:    Wed Jul 17 00:27:08 +0000 2013
>Last-Modified:  Wed Jul 17 00:27:08 +0000 2013
>Originator:     Jean-Luc Richier
>Release:        NetBSD 1.5
>Organization:
IMAG
>Environment:
System: NetBSD oban.imag.fr 1.5 NetBSD 1.5 (IPv6) #24: Fri Apr 20 17:36:52 MEST 2001 richier@oban.imag.fr:/usr/src/sys/arch/sparc/compile/IPv6 sparc


>Description:
    In the RPC libc code, the control call which allows clients to
    find the address of the server (clnt_control(clnt, CLGET_SVC_ADDR, ..)
    return an incorrect value.
    Bug was detected in NetBSD1.5, and in still in the NetBSD-current source

>How-To-Repeat:
    Consider the code at the end, which allows to test rpc calls (unicast or
    not) on different transports, compile it (cc -o tstrpc tstrpc.c)
    - on udp: it works:
    % tstrpc tuna.imag.fr
    response from: tuna.imag.fr
    - on tcp there is an error
    % tstrpc -t tuna.imag.fr
    incorrect response

     test program tstrpc.c:
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <rpc/rpc.h>

#define RPCBPROC_NULL 0
char *transp;

int
reply(caddr_t replyp, struct netbuf *raddrp, struct netconfig *nconf)
{
	char host[NI_MAXHOST];
	struct sockaddr *sock = raddrp->buf;

	if (getnameinfo(sock, sock->sa_len, host, sizeof (host), NULL, 0, 0))
		printf("incorrect response\n");
	else
		printf("response from: %s\n", host);
	return(0);
}

void
onehost(char *host)
{
        CLIENT *clnt;
	struct netbuf addr;
	struct timeval tv;

        if ((clnt = clnt_create(host, RPCBPROG, RPCBVERS, transp)) == NULL)
                errx(1, "%s", clnt_spcreateerror(""));

	tv.tv_sec = 15;
	tv.tv_usec = 0;
	if (clnt_call(clnt, RPCBPROC_NULL, xdr_void, NULL, xdr_void, NULL, tv)
			!= RPC_SUCCESS)
                errx(1, "%s", clnt_sperror(clnt, ""));
	clnt_control(clnt, CLGET_SVC_ADDR, (char *)&addr);
	reply(NULL, &addr, NULL);
}

void
allhosts()
{
	enum clnt_stat clnt_stat;

	clnt_stat = rpc_broadcast(RPCBPROG, RPCBVERS, RPCBPROC_NULL,
				   xdr_void, NULL, xdr_void, NULL,
				   (resultproc_t)reply, transp);
	if (clnt_stat != RPC_SUCCESS && clnt_stat != RPC_TIMEDOUT)
		errx(1, "%s", clnt_sperrno(clnt_stat));
}

int
main(int argc, char *argv[])
{
        int ch;

	transp = "udp";
        while ((ch = getopt(argc, argv, "ut")) != -1)
	        switch (ch) {
                case 't':
                        transp = "tcp";
                        break;
                case 'u':
                        transp = "udp";
                        break;
                default:
                        errx(1, "tstrpc -[u|t] ...");
                }
	if (argc == optind)
		allhosts();
	else for (; optind < argc; optind++)
		onehost(argv[optind]);
        exit(0);
}

>Fix:

     The problem is in lib/libc/rpc/clnt_vc.c, an incorrect reference.
     To correct:

*** /usr/src/lib/libc/rpc/clnt_vc.c.DIST	Fri Jul 14 18:48:12 2000
--- /usr/src/lib/libc/rpc/clnt_vc.c	Fri Jun  1 18:05:33 2001
***************
*** 263,269 ****
  	ct->ct_addr.buf = malloc(raddr->maxlen);
  	if (ct->ct_addr.buf == NULL)
  		goto fooy;
! 	memcpy(ct->ct_addr.buf, &raddr->buf, raddr->len);
  	ct->ct_addr.len = raddr->maxlen;
  	ct->ct_addr.maxlen = raddr->maxlen;

--- 263,269 ----
  	ct->ct_addr.buf = malloc(raddr->maxlen);
  	if (ct->ct_addr.buf == NULL)
  		goto fooy;
! 	memcpy(ct->ct_addr.buf, raddr->buf, raddr->len);
  	ct->ct_addr.len = raddr->maxlen;
  	ct->ct_addr.maxlen = raddr->maxlen;


>Release-Note:
>Audit-Trail:

From: christos@zoulas.com (Christos Zoulas)
To: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>,
	lib-bug-people@netbsd.org, gnats-bugs@gnats.netbsd.org
Cc:  
Subject: Re: lib/13082: clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
Date: Fri, 1 Jun 2001 13:18:10 -0400

 On Jun 1,  6:20pm, Jean-Luc.Richier@imag.fr (Jean-Luc Richier) wrote:
 -- Subject: lib/13082: clnt_control option CLGET_SVC_ADDR does not work with 

 Yes, but it looks to me like the next line is wrong too. The assignment
 should probably be:

     ct->ct_addr.len = raddr->len;

 not:

     ct->ct_addr.len = raddr->maxlen;

 christos

 | *** /usr/src/lib/libc/rpc/clnt_vc.c.DIST	Fri Jul 14 18:48:12 2000
 | --- /usr/src/lib/libc/rpc/clnt_vc.c	Fri Jun  1 18:05:33 2001
 | ***************
 | *** 263,269 ****
 |   	ct->ct_addr.buf = malloc(raddr->maxlen);
 |   	if (ct->ct_addr.buf == NULL)
 |   		goto fooy;
 | ! 	memcpy(ct->ct_addr.buf, &raddr->buf, raddr->len);
 |   	ct->ct_addr.len = raddr->maxlen;
 |   	ct->ct_addr.maxlen = raddr->maxlen;
 |   
 | --- 263,269 ----
 |   	ct->ct_addr.buf = malloc(raddr->maxlen);
 |   	if (ct->ct_addr.buf == NULL)
 |   		goto fooy;
 | ! 	memcpy(ct->ct_addr.buf, raddr->buf, raddr->len);
 |   	ct->ct_addr.len = raddr->maxlen;
 |   	ct->ct_addr.maxlen = raddr->maxlen;
 |   
 | 
 | >Release-Note:
 | >Audit-Trail:
 | >Unformatted:
 -- End of excerpt from Jean-Luc Richier


From: Thorsten Brehm <tbrehm@dspace.de>
To: "gnats-bugs@gnats.netbsd.org" <gnats-bugs@gnats.netbsd.org>
Cc: "christos@zoulas.com" <christos@zoulas.com>
Subject: Re: lib/13082
Date: Tue, 26 Feb 2013 09:16:50 +0000

 --_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_
 Content-Type: text/plain; charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable

 This bug should be raised to "critical", since it causes sporadic segfaults=
 . The incorrect memcpy source location has already been described in the re=
 port.

 But moreover, the memory location &raddr->buf only guarantees 4 bytes (or 8=
  bytes on 64 bit systems) to be accessible, while raddr->len is larger than=
  4 (or 8). When &raddr->buf is located at the end of an accessible memory s=
 egment, then memcpy(...,&raddr->buf, raddr->len) results in a memory violat=
 ion (apart from not copying the right data). I've seen this crash regularly=
 , obviously depending on the memory layout of the application.

 The following patch fixes the segfault and also the second issue mentioned =
 by Christos, which I can also confirm:

 diff -wru trunk/src/lib/libc/rpc/clnt_vc.c new/src/lib/libc/rpc/clnt_vc.c
 --- trunk/src/lib/libc/rpc/clnt_vc.c
 +++ new/src/lib/libc/rpc/clnt_vc.c
 @@ -263,8 +263,8 @@
                ct->ct_addr.buf =3D malloc((size_t)raddr->maxlen);
                if (ct->ct_addr.buf =3D=3D NULL)
                               goto fooy;
 -              memcpy(ct->ct_addr.buf, &raddr->buf, (size_t)raddr->len);
 -              ct->ct_addr.len =3D raddr->maxlen;
 +             memcpy(ct->ct_addr.buf, raddr->buf, (size_t)raddr->len);
 +             ct->ct_addr.len =3D raddr->len;
                ct->ct_addr.maxlen =3D raddr->maxlen;
                 /*

 I've debugged, fixed and tested this locally - before seeing the issue and =
 patch has already been known for more than 11 years. So *please* let's fix =
 this now ;-).

 Thorsten


 --_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_
 Content-Type: text/html; charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable

 <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
 osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
 xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
 //www.w3.org/TR/REC-html40">
 <head>
 <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
 >
 <meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
 <style><!--
 /* Font Definitions */
 @font-face
 	{font-family:Calibri;
 	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";
 	mso-fareast-language:EN-US;}
 a:link, span.MsoHyperlink
 	{mso-style-priority:99;
 	color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{mso-style-priority:99;
 	color:purple;
 	text-decoration:underline;}
 pre
 	{mso-style-priority:99;
 	mso-style-link:"HTML Vorformatiert Zchn";
 	margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:10.0pt;
 	font-family:"Courier New";}
 span.E-MailFormatvorlage17
 	{mso-style-type:personal-compose;
 	font-family:"Calibri","sans-serif";
 	color:windowtext;}
 span.HTMLVorformatiertZchn
 	{mso-style-name:"HTML Vorformatiert Zchn";
 	mso-style-priority:99;
 	mso-style-link:"HTML Vorformatiert";
 	font-family:"Courier New";
 	mso-fareast-language:DE;}
 .MsoChpDefault
 	{mso-style-type:export-only;
 	mso-fareast-language:EN-US;}
 @page WordSection1
 	{size:612.0pt 792.0pt;
 	margin:70.85pt 70.85pt 2.0cm 70.85pt;}
 div.WordSection1
 	{page:WordSection1;}
 --></style><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
 </xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
 <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
 </head>
 <body lang=3D"DE" link=3D"blue" vlink=3D"purple">
 <div class=3D"WordSection1">
 <p class=3D"MsoNormal"><span lang=3D"EN-US">This bug should be raised to &#=
 8220;critical&#8221;, since it causes sporadic segfaults. The incorrect mem=
 cpy source location has already been described in the report.<o:p></o:p></s=
 pan></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">But moreover, the memory locati=
 on &amp;raddr-&gt;buf only guarantees 4 bytes (or 8 bytes on 64 bit systems=
 ) to be accessible, while raddr-&gt;len is larger than 4 (or 8). When &amp;=
 raddr-&gt;buf is located at the end of an accessible
  memory segment, then memcpy(&#8230;,&amp;raddr-&gt;buf, raddr-&gt;len) res=
 ults in a memory violation (apart from not copying the right data). I&#8217=
 ;ve seen this crash regularly, obviously depending on the memory layout of =
 the application.<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">The following patch fixes the s=
 egfault and also the second issue mentioned by Christos, which I can also c=
 onfirm:<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">diff -wru trunk/src/lib/libc/rp=
 c/clnt_vc.c new/src/lib/libc/rpc/clnt_vc.c<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">--- trunk/src/lib/libc/rpc/clnt=
 _vc.c<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&#43;&#43;&#43; new/src/lib/lib=
 c/rpc/clnt_vc.c<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">@@ -263,8 &#43;263,8 @@<o:p></o=
 :p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct-&gt;ct_addr.buf =
 =3D malloc((size_t)raddr-&gt;maxlen);<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (ct-&gt;ct_addr.bu=
 f =3D=3D NULL)<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
 p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; goto f=
 ooy;<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(ct-&gt;ct_addr.buf,=
  &amp;raddr-&gt;buf, (size_t)raddr-&gt;len);<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct-&gt;ct_addr.len =3D rad=
 dr-&gt;maxlen;<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&#43;&nbsp;&nbsp;&nbsp;&nbsp;&n=
 bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(ct-&gt;ct_addr.buf, r=
 addr-&gt;buf, (size_t)raddr-&gt;len);<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&#43;&nbsp;&nbsp;&nbsp;&nbsp;&n=
 bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct-&gt;ct_addr.len =3D raddr=
 -&gt;len;<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct-&gt;ct_addr.maxlen=
  =3D raddr-&gt;maxlen;<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /*<o:p></o:p></=
 span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">I&#8217;ve debugged, fixed and =
 tested this locally &#8211; before seeing the issue and patch has already b=
 een known for more than 11 years. So *please* let&#8217;s fix this n=
 ow ;-).<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US">Thorsten<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p>&nbsp;</o:p></span></p>
 </div>
 </body>
 </html>

 --_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_--

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/13082 CVS commit: src/lib/libc/rpc
Date: Tue, 26 Feb 2013 11:33:57 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Tue Feb 26 16:33:57 UTC 2013

 Modified Files:
 	src/lib/libc/rpc: clnt_vc.c

 Log Message:
 PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
 corruption. XXX: pullup to 6.


 To generate a diff of this commit:
 cvs rdiff -u -r1.18 -r1.19 src/lib/libc/rpc/clnt_vc.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/13082 CVS commit: [netbsd-6] src/lib/libc/rpc
Date: Sun, 31 Mar 2013 20:26:33 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Sun Mar 31 20:26:33 UTC 2013

 Modified Files:
 	src/lib/libc/rpc [netbsd-6]: clnt_vc.c

 Log Message:
 Pull up following revision(s) (requested by christos in ticket #854):
 	lib/libc/rpc/clnt_vc.c: revision 1.19
 PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
 corruption. XXX: pullup to 6.


 To generate a diff of this commit:
 cvs rdiff -u -r1.17.8.1 -r1.17.8.2 src/lib/libc/rpc/clnt_vc.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/13082 CVS commit: [netbsd-6-0] src/lib/libc/rpc
Date: Sun, 31 Mar 2013 20:26:59 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Sun Mar 31 20:26:59 UTC 2013

 Modified Files:
 	src/lib/libc/rpc [netbsd-6-0]: clnt_vc.c

 Log Message:
 Pull up following revision(s) (requested by christos in ticket #854):
 	lib/libc/rpc/clnt_vc.c: revision 1.19
 PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
 corruption. XXX: pullup to 6.


 To generate a diff of this commit:
 cvs rdiff -u -r1.17 -r1.17.12.1 src/lib/libc/rpc/clnt_vc.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Wed, 17 Jul 2013 00:27:08 +0000
State-Changed-Why:
Fix committed and pulled up to netbsd-6 and netbsd-6-0.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.