This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/20790] rpcgen buffer overrun in get_prog_declaration
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 08 Nov 2016 23:46:13 +0000
- Subject: [Bug network/20790] rpcgen buffer overrun in get_prog_declaration
- Auto-submitted: auto-generated
- References: <bug-20790-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20790
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 5874510faaf3cbd0bb112aaacab9f225002beed1 (commit)
from 116ae4fe5a70d99cf06088f0222a5913996f7f70 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5874510faaf3cbd0bb112aaacab9f225002beed1
commit 5874510faaf3cbd0bb112aaacab9f225002beed1
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 8 23:44:51 2016 +0000
Fix rpcgen buffer overrun (bug 20790).
Building with GCC 7 produces an error building rpcgen:
rpc_parse.c: In function 'get_prog_declaration':
rpc_parse.c:543:25: error: may write a terminating nul past the end of the
destination [-Werror=format-length=]
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
~~~~^
rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a
destination of size 10
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That buffer overrun is for the case where the .x file declares a
program with a million arguments. The strcpy two lines above can
generate a buffer overrun much more simply for a long argument name.
The limit on length of line read by rpcgen (MAXLINESIZE == 1024)
provides a bound on the buffer size needed, so this patch just changes
the buffer size to MAXLINESIZE to avoid both possible buffer
overruns. A testcase is added that rpcgen does not crash with a
500-character argument name, where it previously crashed.
It would not at all surprise me if there are many other ways of
crashing rpcgen with either valid or invalid input; fuzz testing would
likely find various such bugs, though I don't think they are that
important to fix (rpcgen is not that likely to be used with untrusted
.x files as input). (As well as fuzz-findable bugs there are probably
also issues when various int variables get overflowed on very large
input.) The test infrastructure for rpcgen-not-crashing tests would
need extending if tests are to be added for cases where rpcgen should
produce an error, as opposed to cases where it should succeed.
Tested for x86_64 and x86.
[BZ #20790]
* sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size
to MAXLINESIZE.
* sunrpc/bug20790.x: New file.
* sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New
variable.
[$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests).
[$(run-built-tests) = yes] ($(rpcgen-tests)): New rule.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +++++++++
sunrpc/Makefile | 11 +++++++++++
sunrpc/bug20790.x | 1 +
sunrpc/rpc_parse.c | 2 +-
4 files changed, 22 insertions(+), 1 deletions(-)
create mode 100644 sunrpc/bug20790.x
--
You are receiving this mail because:
You are on the CC list for the bug.