This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/22114] New: xdr_char() and xdr_u_char() functions crashes on encoding of character lying in constant memory segment
- From: "a.kampling at gmx dot de" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 08 Sep 2017 12:42:30 +0000
- Subject: [Bug network/22114] New: xdr_char() and xdr_u_char() functions crashes on encoding of character lying in constant memory segment
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22114
Bug ID: 22114
Summary: xdr_char() and xdr_u_char() functions crashes on
encoding of character lying in constant memory segment
Product: glibc
Version: 2.17
Status: UNCONFIRMED
Keywords: glibc_2.17
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: a.kampling at gmx dot de
Target Milestone: ---
The bug I report here was detected in the glibc 2.17 but can also be found in
the codebase of the current head in the git repository:
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sunrpc/xdr.c;hb=HEAD.
The "xdr_xxx()" functions can be used to encode and decode data into an xdr
object.
The "bool_t xdr_char (XDR *xdrs, char *cp)" function will crash if the data
that is passed via "char *cp" is lying in a constant memory segment.
The other functions like "xdr_int()" checks wether to encode or decode and just
writes to the pointer target if decoding should take place.
So instead of crashing the function should just encode the data and not write
to where the pointer is pointing to.
I know that the argument is not: "const char *cp" but the other functions
behave differently in contrast to "xdr_char()".
Further the "xdr_u_char()" function is also affected of the same problem
--------------------------------------
Steps to reproduce (C program):
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <rpc/rpc.h>
int main()
{
static const char cchar = 'a';
static const int cint = 42;
char xdrbuffer[100];
XDR xdrs;
xdrmem_create(&xdrs, xdrbuffer, sizeof(xdrbuffer), XDR_ENCODE);
// works
printf("xdr_int: <%s>\n",
(xdr_int(&xdrs, &cint) == TRUE) ? "Success" : "Failure");
// fails --> segmentation fault!
printf("xdr_char: <%s>\n",
(xdr_char(&xdrs, &cchar) == TRUE) ? "Success" : "Failure");
return 0;
}
--------------------------------------
valgrind crash log:
[andre_kampling@vm-29-149-4 Debug]$ valgrind --leak-check=full
--track-origins=yes ./xdrBug
==42507== Memcheck, a memory error detector
==42507== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==42507== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==42507== Command: ./xdrBug
==42507==
xdr_int: <Success>
==42507==
==42507== Process terminating with default action of signal 11 (SIGSEGV)
==42507== Bad permissions for mapped region at address 0x400824
==42507== at 0x52602EE: xdr_char (in /usr/lib64/libc-2.17.so)
==42507== by 0x40072F: main (xdrBug.c:22)
==42507==
==42507== HEAP SUMMARY:
==42507== in use at exit: 0 bytes in 0 blocks
==42507== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==42507==
==42507== All heap blocks were freed -- no leaks are possible
==42507==
==42507== For counts of detected and suppressed errors, rerun with: -v
==42507== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault
Solution:
The bug is on this line in the xdr.c
https://sourceware.org/git/?p=glibc.git;a=blob;f=sunrpc/xdr.c;h=8b0b91995b79b859a8ff12d81f1720368b645b16;hb=HEAD#l414:
*cp = i;
This should just be done if
xdrs->x_op
is equal to
XDR_DECODE.
The other functions like "xdr_int()" are using a switch case for that.
--
You are receiving this mail because:
You are on the CC list for the bug.