This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/21499] New: Uninitialised pointer in svcudp_reply()
- From: "plinich at cse dot unsw.edu.au" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 May 2017 06:39:41 +0000
- Subject: [Bug libc/21499] New: Uninitialised pointer in svcudp_reply()
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=21499
Bug ID: 21499
Summary: Uninitialised pointer in svcudp_reply()
Product: glibc
Version: 2.25
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: plinich at cse dot unsw.edu.au
CC: drepper.fsp at gmail dot com
Target Milestone: ---
File: sunrpc/svc_udp.c
Function: svcudp_reply()
When IP_PKTINFO is defined, __sendmsg() can be called with mesgp->msg_iov set
incorrectly causing junk to be sent. The problem does not occur when IP_PKTINFO
is not defined and __sendto() is used.
When svcudp_reply() is called, mesgp->iov should be pointing at the iovec
structure at the start of xp_pad. This is apparently not always the case.
I discovered this while debugging an amd (am-utils) problem. When
svc_sendreply() is called in nfs_quick_reply() (in am-utils) the first time
after a successful mount junk gets sent.
If I modify nfs_quick_reply() to set mesgp->msg_iov correctly each time before
calling svc_sendreply() then the correct RPC packet is sent.
I note that mesgp->msg_iov and mesgp->msg_iovlen are explicitly set for each
call in svcudp_recv() and I wonder if the same should be done in
svcudp_reply().
--
You are receiving this mail because:
You are on the CC list for the bug.