NetBSD Problem Report #44514
From simon@comsys.ntu-kpi.kiev.ua Fri Feb 4 15:51:20 2011
Return-Path: <simon@comsys.ntu-kpi.kiev.ua>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 17C9063B873
for <gnats-bugs@gnats.NetBSD.org>; Fri, 4 Feb 2011 15:51:20 +0000 (UTC)
Message-Id: <20110204155115.GA79097@pm513-1.comsys.ntu-kpi.kiev.ua>
Date: Fri, 4 Feb 2011 17:51:15 +0200
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: gnats-bugs@gnats.NetBSD.org
Subject: Buffer underflow in RPC library for non-blocking TCP sockets
>Number: 44514
>Category: bin
>Synopsis: Buffer underflow in RPC library for non-blocking TCP sockets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 04 15:55:00 +0000 2011
>Closed-Date: Fri Aug 11 01:08:12 +0000 2017
>Last-Modified: Fri Aug 11 01:08:12 +0000 2017
>Originator: Andrey Simonenko
>Release: NetBSD HEAD
>Organization:
>Environment:
>Description:
The libc/rpc/svc_vc.c:write_vc() function calls write() and sends data
to opened TCP connection. For non-blocking socket it has something like
timeout in 2 seconds (actually write_vc() can spend more real time for
sending for non-blocking socket). The i variable is used for offset in
a buffer and as a counter at the same time. When write() fails this
variable got the -1 value and this value as added to the buffer address
and to the counter (the buffer address is decreased and the counter value
actually is increased). So we get buffer underflow.
As a result write_vc() can send data that does not belong to data that
were expected to be sent, so this is a security mistake for any program
that use RPC with a non-blocking TCP socket.
>How-To-Repeat:
Run any RPC program that transfers big data over non-blocking TCP socket.
A client will receive truncated data or garbage data, or data that should
not be sent to a client (everything depends on how memory blocks were
allocated in a server).
>Fix:
I found this mistake on FreeBSD and verified correctness of my change
on that system.
This this the update (this is the minimal version, without optimization):
--- svc_vc.c.orig 2011-02-04 17:27:14.000000000 +0200
+++ svc_vc.c 2011-02-04 17:32:05.000000000 +0200
@@ -610,7 +610,7 @@ write_vc(xprtp, buf, len)
cd->strm_stat = XPRT_DIED;
return (-1);
}
- if (cd->nonblock && i != cnt) {
+ if (cd->nonblock) {
/*
* For non-blocking connections, do not
* take more than 2 seconds writing the
@@ -624,6 +624,7 @@ write_vc(xprtp, buf, len)
return (-1);
}
}
+ i = 0;
}
}
return (len);
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44514 CVS commit: src/lib/libc/rpc
Date: Fri, 4 Feb 2011 12:38:16 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 4 17:38:15 UTC 2011
Modified Files:
src/lib/libc/rpc: svc_vc.c
Log Message:
PR/44514: Andrey Simonenko: Buffer underflow in RPC library for non-blocking
TCP sockets
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/lib/libc/rpc/svc_vc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/44514: Buffer underflow in RPC library for non-blocking TCP
sockets
Date: Fri, 4 Feb 2011 14:33:54 -0500
On Fri, 4 Feb 2011 15:55:00 +0000 (UTC)
Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua> wrote:
> --- svc_vc.c.orig 2011-02-04 17:27:14.000000000 +0200
> +++ svc_vc.c 2011-02-04 17:32:05.000000000 +0200
> @@ -610,7 +610,7 @@ write_vc(xprtp, buf, len)
> [...]
The NetBSD-5 branch also seems affected by this security issue.
Thanks,
--
Matt
State-Changed-From-To: open->closed
State-Changed-By: ginsbach@NetBSD.org
State-Changed-When: Fri, 11 Aug 2017 01:08:12 +0000
State-Changed-Why:
christos committed fix; Thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home