NetBSD Problem Report #13082
Received: (qmail 18834 invoked from network); 1 Jun 2001 16:27:57 -0000
Message-Id: <200106011620.f51GKCi24020@oban.imag.fr>
Date: Fri, 1 Jun 2001 18:20:12 +0200 (MEST)
From: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
Reply-To: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
To: gnats-bugs@gnats.netbsd.org
Subject: clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
X-Send-Pr-Version: 3.95
>Number: 13082
>Category: lib
>Synopsis: clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jun 01 16:28:00 +0000 2001
>Closed-Date: Wed Jul 17 00:27:08 +0000 2013
>Last-Modified: Wed Jul 17 00:27:08 +0000 2013
>Originator: Jean-Luc Richier
>Release: NetBSD 1.5
>Organization:
IMAG
>Environment:
System: NetBSD oban.imag.fr 1.5 NetBSD 1.5 (IPv6) #24: Fri Apr 20 17:36:52 MEST 2001 richier@oban.imag.fr:/usr/src/sys/arch/sparc/compile/IPv6 sparc
>Description:
In the RPC libc code, the control call which allows clients to
find the address of the server (clnt_control(clnt, CLGET_SVC_ADDR, ..)
return an incorrect value.
Bug was detected in NetBSD1.5, and in still in the NetBSD-current source
>How-To-Repeat:
Consider the code at the end, which allows to test rpc calls (unicast or
not) on different transports, compile it (cc -o tstrpc tstrpc.c)
- on udp: it works:
% tstrpc tuna.imag.fr
response from: tuna.imag.fr
- on tcp there is an error
% tstrpc -t tuna.imag.fr
incorrect response
test program tstrpc.c:
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <rpc/rpc.h>
#define RPCBPROC_NULL 0
char *transp;
int
reply(caddr_t replyp, struct netbuf *raddrp, struct netconfig *nconf)
{
char host[NI_MAXHOST];
struct sockaddr *sock = raddrp->buf;
if (getnameinfo(sock, sock->sa_len, host, sizeof (host), NULL, 0, 0))
printf("incorrect response\n");
else
printf("response from: %s\n", host);
return(0);
}
void
onehost(char *host)
{
CLIENT *clnt;
struct netbuf addr;
struct timeval tv;
if ((clnt = clnt_create(host, RPCBPROG, RPCBVERS, transp)) == NULL)
errx(1, "%s", clnt_spcreateerror(""));
tv.tv_sec = 15;
tv.tv_usec = 0;
if (clnt_call(clnt, RPCBPROC_NULL, xdr_void, NULL, xdr_void, NULL, tv)
!= RPC_SUCCESS)
errx(1, "%s", clnt_sperror(clnt, ""));
clnt_control(clnt, CLGET_SVC_ADDR, (char *)&addr);
reply(NULL, &addr, NULL);
}
void
allhosts()
{
enum clnt_stat clnt_stat;
clnt_stat = rpc_broadcast(RPCBPROG, RPCBVERS, RPCBPROC_NULL,
xdr_void, NULL, xdr_void, NULL,
(resultproc_t)reply, transp);
if (clnt_stat != RPC_SUCCESS && clnt_stat != RPC_TIMEDOUT)
errx(1, "%s", clnt_sperrno(clnt_stat));
}
int
main(int argc, char *argv[])
{
int ch;
transp = "udp";
while ((ch = getopt(argc, argv, "ut")) != -1)
switch (ch) {
case 't':
transp = "tcp";
break;
case 'u':
transp = "udp";
break;
default:
errx(1, "tstrpc -[u|t] ...");
}
if (argc == optind)
allhosts();
else for (; optind < argc; optind++)
onehost(argv[optind]);
exit(0);
}
>Fix:
The problem is in lib/libc/rpc/clnt_vc.c, an incorrect reference.
To correct:
*** /usr/src/lib/libc/rpc/clnt_vc.c.DIST Fri Jul 14 18:48:12 2000
--- /usr/src/lib/libc/rpc/clnt_vc.c Fri Jun 1 18:05:33 2001
***************
*** 263,269 ****
ct->ct_addr.buf = malloc(raddr->maxlen);
if (ct->ct_addr.buf == NULL)
goto fooy;
! memcpy(ct->ct_addr.buf, &raddr->buf, raddr->len);
ct->ct_addr.len = raddr->maxlen;
ct->ct_addr.maxlen = raddr->maxlen;
--- 263,269 ----
ct->ct_addr.buf = malloc(raddr->maxlen);
if (ct->ct_addr.buf == NULL)
goto fooy;
! memcpy(ct->ct_addr.buf, raddr->buf, raddr->len);
ct->ct_addr.len = raddr->maxlen;
ct->ct_addr.maxlen = raddr->maxlen;
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>,
lib-bug-people@netbsd.org, gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: lib/13082: clnt_control option CLGET_SVC_ADDR does not work with rpc vc transport
Date: Fri, 1 Jun 2001 13:18:10 -0400
On Jun 1, 6:20pm, Jean-Luc.Richier@imag.fr (Jean-Luc Richier) wrote:
-- Subject: lib/13082: clnt_control option CLGET_SVC_ADDR does not work with
Yes, but it looks to me like the next line is wrong too. The assignment
should probably be:
ct->ct_addr.len = raddr->len;
not:
ct->ct_addr.len = raddr->maxlen;
christos
| *** /usr/src/lib/libc/rpc/clnt_vc.c.DIST Fri Jul 14 18:48:12 2000
| --- /usr/src/lib/libc/rpc/clnt_vc.c Fri Jun 1 18:05:33 2001
| ***************
| *** 263,269 ****
| ct->ct_addr.buf = malloc(raddr->maxlen);
| if (ct->ct_addr.buf == NULL)
| goto fooy;
| ! memcpy(ct->ct_addr.buf, &raddr->buf, raddr->len);
| ct->ct_addr.len = raddr->maxlen;
| ct->ct_addr.maxlen = raddr->maxlen;
|
| --- 263,269 ----
| ct->ct_addr.buf = malloc(raddr->maxlen);
| if (ct->ct_addr.buf == NULL)
| goto fooy;
| ! memcpy(ct->ct_addr.buf, raddr->buf, raddr->len);
| ct->ct_addr.len = raddr->maxlen;
| ct->ct_addr.maxlen = raddr->maxlen;
|
|
| >Release-Note:
| >Audit-Trail:
| >Unformatted:
-- End of excerpt from Jean-Luc Richier
From: Thorsten Brehm <tbrehm@dspace.de>
To: "gnats-bugs@gnats.netbsd.org" <gnats-bugs@gnats.netbsd.org>
Cc: "christos@zoulas.com" <christos@zoulas.com>
Subject: Re: lib/13082
Date: Tue, 26 Feb 2013 09:16:50 +0000
--_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
This bug should be raised to "critical", since it causes sporadic segfaults=
. The incorrect memcpy source location has already been described in the re=
port.
But moreover, the memory location &raddr->buf only guarantees 4 bytes (or 8=
bytes on 64 bit systems) to be accessible, while raddr->len is larger than=
4 (or 8). When &raddr->buf is located at the end of an accessible memory s=
egment, then memcpy(...,&raddr->buf, raddr->len) results in a memory violat=
ion (apart from not copying the right data). I've seen this crash regularly=
, obviously depending on the memory layout of the application.
The following patch fixes the segfault and also the second issue mentioned =
by Christos, which I can also confirm:
diff -wru trunk/src/lib/libc/rpc/clnt_vc.c new/src/lib/libc/rpc/clnt_vc.c
--- trunk/src/lib/libc/rpc/clnt_vc.c
+++ new/src/lib/libc/rpc/clnt_vc.c
@@ -263,8 +263,8 @@
ct->ct_addr.buf =3D malloc((size_t)raddr->maxlen);
if (ct->ct_addr.buf =3D=3D NULL)
goto fooy;
- memcpy(ct->ct_addr.buf, &raddr->buf, (size_t)raddr->len);
- ct->ct_addr.len =3D raddr->maxlen;
+ memcpy(ct->ct_addr.buf, raddr->buf, (size_t)raddr->len);
+ ct->ct_addr.len =3D raddr->len;
ct->ct_addr.maxlen =3D raddr->maxlen;
/*
I've debugged, fixed and tested this locally - before seeing the issue and =
patch has already been known for more than 11 years. So *please* let's fix =
this now ;-).
Thorsten
--_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:"Courier New";
mso-fareast-language:DE;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"DE" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span lang=3D"EN-US">This bug should be raised to &#=
8220;critical”, since it causes sporadic segfaults. The incorrect mem=
cpy source location has already been described in the report.<o:p></o:p></s=
pan></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">But moreover, the memory locati=
on &raddr->buf only guarantees 4 bytes (or 8 bytes on 64 bit systems=
) to be accessible, while raddr->len is larger than 4 (or 8). When &=
raddr->buf is located at the end of an accessible
memory segment, then memcpy(…,&raddr->buf, raddr->len) res=
ults in a memory violation (apart from not copying the right data). I’=
;ve seen this crash regularly, obviously depending on the memory layout of =
the application.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">The following patch fixes the s=
egfault and also the second issue mentioned by Christos, which I can also c=
onfirm:<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">diff -wru trunk/src/lib/libc/rp=
c/clnt_vc.c new/src/lib/libc/rpc/clnt_vc.c<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">--- trunk/src/lib/libc/rpc/clnt=
_vc.c<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">+++ new/src/lib/lib=
c/rpc/clnt_vc.c<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">@@ -263,8 +263,8 @@<o:p></o=
:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> &=
nbsp; ct->ct_addr.buf =
=3D malloc((size_t)raddr->maxlen);<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> &=
nbsp; if (ct->ct_addr.bu=
f =3D=3D NULL)<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> &=
nbsp; &nbs=
p; goto f=
ooy;<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">- =
memcpy(ct->ct_addr.buf,=
&raddr->buf, (size_t)raddr->len);<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">- =
ct->ct_addr.len =3D rad=
dr->maxlen;<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">+ &n=
bsp; memcpy(ct->ct_addr.buf, r=
addr->buf, (size_t)raddr->len);<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">+ &n=
bsp; ct->ct_addr.len =3D raddr=
->len;<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> &=
nbsp; ct->ct_addr.maxlen=
=3D raddr->maxlen;<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> &=
nbsp; /*<o:p></o:p></=
span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">I’ve debugged, fixed and =
tested this locally – before seeing the issue and patch has already b=
een known for more than 11 years. So *please* let’s fix this n=
ow ;-).<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Thorsten<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>
--_000_C8EE0F1FA402474893651B07DA446721EDC3BACEExchange2010dsp_--
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/13082 CVS commit: src/lib/libc/rpc
Date: Tue, 26 Feb 2013 11:33:57 -0500
Module Name: src
Committed By: christos
Date: Tue Feb 26 16:33:57 UTC 2013
Modified Files:
src/lib/libc/rpc: clnt_vc.c
Log Message:
PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
corruption. XXX: pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/lib/libc/rpc/clnt_vc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/13082 CVS commit: [netbsd-6] src/lib/libc/rpc
Date: Sun, 31 Mar 2013 20:26:33 +0000
Module Name: src
Committed By: riz
Date: Sun Mar 31 20:26:33 UTC 2013
Modified Files:
src/lib/libc/rpc [netbsd-6]: clnt_vc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #854):
lib/libc/rpc/clnt_vc.c: revision 1.19
PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
corruption. XXX: pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.17.8.1 -r1.17.8.2 src/lib/libc/rpc/clnt_vc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/13082 CVS commit: [netbsd-6-0] src/lib/libc/rpc
Date: Sun, 31 Mar 2013 20:26:59 +0000
Module Name: src
Committed By: riz
Date: Sun Mar 31 20:26:59 UTC 2013
Modified Files:
src/lib/libc/rpc [netbsd-6-0]: clnt_vc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #854):
lib/libc/rpc/clnt_vc.c: revision 1.19
PR/13082: Thorsten Brehm: Fix wrong memcpy that caused possible memory
corruption. XXX: pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.12.1 src/lib/libc/rpc/clnt_vc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Wed, 17 Jul 2013 00:27:08 +0000
State-Changed-Why:
Fix committed and pulled up to netbsd-6 and netbsd-6-0.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.