NetBSD Problem Report #44132

From Wolfgang.Stukenbrock@nagler-company.com  Tue Nov 23 09:33:53 2010
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 9AD5B63BAE5
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 23 Nov 2010 09:33:53 +0000 (UTC)
Message-Id: <20101123093334.609DAAB7B4@s011.nagler-company.com>
Date: Tue, 23 Nov 2010 10:33:24 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: libc/rpc may overwrite not-allocated memory
X-Send-Pr-Version: 3.95

>Number:         44132
>Category:       lib
>Synopsis:       libc/rpc may overwrite not-allocated memory
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Nov 23 09:35:00 +0000 2010
>Closed-Date:    Thu Dec 09 05:26:32 +0000 2010
>Last-Modified:  Thu Dec 09 05:26:32 +0000 2010
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 5.0.2
>Organization:
Dr. Nagler & Company GmbH
>Environment:


System: NetBSD test-s1 5.0.2 NetBSD 5.0.2 (NSW-S011) #12: Thu Nov 11 11:29:19 CET 2010 wgstuken@s012:/export/NetBSD-5.0.2/N+C-build/.OBJDIR_amd64/export/NetBSD-5.0.2/src/sys/arch/amd64/compile/NSW-S011 amd64
Architecture: x86_64
Machine: amd64
>Description:
	In /usr/src/lib/libc/rpc/xdr_rec.c there is a routine called realloc_stream(), that is used
	to adjust the recieve buffer if the next record does not fit into the current buffer.
	This routine returns TRUE on success and FALSE on error.
	This routine is used only by __xdrrec_getrec() in the same file, but the return value is ignored.
	So in the (very rare) case, that the realloc does not succeed, the resulting buffer is to small.
	Next the readit() function-pointer is called for the "rest of the packet" and in the TCP-case
	(read_vc() from clnt_vc.c) this routine will fill the buffer as requested.
	But the buffer is smaller and memory curruption occurs.

	remark: I haven't added line numbers, because realloc_stream() is a static routine and only called
	once and it should be possible to locate it in the source file.
>How-To-Repeat:
	Problem found by a look into the sources.
>Fix:
	Return an error if realloc() fails.
	I'm not realy confirmed with the internals of the rpc-lib.
	So I do not know what kind of error should be returned from __xdrrec_getrec() in that case.
	The routine should return FALSE if realloc_stream() failed, but I'm not shure about the
	correct value for *statp.
	Sorry.

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/44132 CVS commit: src/lib/libc/rpc
Date: Tue, 23 Nov 2010 09:02:02 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Tue Nov 23 14:02:01 UTC 2010

 Modified Files:
 	src/lib/libc/rpc: xdr_rec.c

 Log Message:
 PR/44132: Wolfgang Stukenbrock: libc/rpc may overwrite not-allocated memory
 Return XPRT_DIED when realloc fails for lack of a better error.


 To generate a diff of this commit:
 cvs rdiff -u -r1.30 -r1.31 src/lib/libc/rpc/xdr_rec.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Tue, 23 Nov 2010 14:15:28 +0000
State-Changed-Why:
Christos committed a fix, ok to close?


From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, lib-bug-people@netbsd.org, 
	netbsd-bugs@netbsd.org, gnats-admin@netbsd.org, wiz@NetBSD.org, 
	Wolfgang.Stukenbrock@nagler-company.com
Cc: 
Subject: Re: lib/44132 (libc/rpc may overwrite not-allocated memory)
Date: Tue, 23 Nov 2010 09:19:02 -0500

 On Nov 23,  2:15pm, wiz@NetBSD.org (wiz@NetBSD.org) wrote:
 -- Subject: Re: lib/44132 (libc/rpc may overwrite not-allocated memory)

 | Synopsis: libc/rpc may overwrite not-allocated memory
 | 
 | State-Changed-From-To: open->feedback
 | State-Changed-By: wiz@NetBSD.org
 | State-Changed-When: Tue, 23 Nov 2010 14:15:28 +0000
 | State-Changed-Why:
 | Christos committed a fix, ok to close?

 Perhaps we want a pullup to 5?

 christos

From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock@nagler-company.com>
To: gnats-bugs@NetBSD.org
Cc: lib-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
        wiz@NetBSD.org, Wolfgang.Stukenbrock@nagler-company.com
Subject: Re: lib/44132 (libc/rpc may overwrite not-allocated memory)
Date: Tue, 23 Nov 2010 15:35:12 +0100

 Hi again,

 yes I think this will fix the problem.

 W. Stukenbrock

 wiz@NetBSD.org wrote:

 > Synopsis: libc/rpc may overwrite not-allocated memory
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: wiz@NetBSD.org
 > State-Changed-When: Tue, 23 Nov 2010 14:15:28 +0000
 > State-Changed-Why:
 > Christos committed a fix, ok to close?
 > 
 > 
 > 
 > 


 -- 


 Dr. Nagler & Company GmbH
 Hauptstraße 9
 92253 Schnaittenbach

 Tel. +49 9622/71 97-42
 Fax +49 9622/71 97-50

 Wolfgang.Stukenbrock@nagler-company.com
 http://www.nagler-company.com


 Hauptsitz: Schnaittenbach
 Handelregister: Amberg HRB
 Gerichtsstand: Amberg
 Steuernummer: 201/118/51825
 USt.-ID-Nummer: DE 273143997
 Geschäftsführer: Dr. Martin Nagler, Dr. Dr. Karl-Kuno Kunze


State-Changed-From-To: feedback->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 23 Nov 2010 21:41:10 +0000
State-Changed-Why:
pullup-5 #1493


From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/44132 CVS commit: [netbsd-5] src/lib/libc/rpc
Date: Thu, 9 Dec 2010 04:14:47 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Thu Dec  9 04:14:46 UTC 2010

 Modified Files:
 	src/lib/libc/rpc [netbsd-5]: xdr_rec.c

 Log Message:
 Pull up following revision(s) (requested by dholland in ticket #1493):
 	lib/libc/rpc/xdr_rec.c: revision 1.31
 PR/44132: Wolfgang Stukenbrock: libc/rpc may overwrite not-allocated memory
 Return XPRT_DIED when realloc fails for lack of a better error.


 To generate a diff of this commit:
 cvs rdiff -u -r1.29 -r1.29.4.1 src/lib/libc/rpc/xdr_rec.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 09 Dec 2010 05:26:32 +0000
State-Changed-Why:
pullup completed, thanks everyone


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.