[Bug network/20790] New: rpcgen buffer overrun in get_prog_declaration

["jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=20790

            Bug ID: 20790
           Summary: rpcgen buffer overrun in get_prog_declaration
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
  Target Milestone: ---

Building with GCC 7 produces an error building rpcgen:

rpc_parse.c: In function 'get_prog_declaration':
rpc_parse.c:543:25: error: may write a terminating nul past the end of the
destination [-Werror=format-length=]
     sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
                     ~~~~^
rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a
destination of size 10
     sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That buffer overrun is for the case where the .x file declares a program with a
million arguments.  The strcpy two lines above can generate a buffer overrun
much more simply for a long argument name; the following test does it:

program TPROG { version TVERS { int FUNC(int
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
= 1; } = 1; } = 1;

Testing a patch.

-- 
You are receiving this mail because:
You are on the CC list for the bug.