This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/20790] rpcgen buffer overrun in get_prog_declaration
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sat, 07 Oct 2017 12:03:20 +0000
- Subject: [Bug network/20790] rpcgen buffer overrun in get_prog_declaration
- Auto-submitted: auto-generated
- References: <bug-20790-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20790
--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.24/master has been updated
via 7fca94796b67a8ca3730da255e64ee95a818f231 (commit)
from b3c498b834c112c10831dced77c9409cb79f339e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7fca94796b67a8ca3730da255e64ee95a818f231
commit 7fca94796b67a8ca3730da255e64ee95a818f231
Author: Joseph Myers <joseph@codesourcery.com>
Date: Sat Oct 7 13:42:41 2017 +0200
Fix rpcgen buffer overrun (bug 20790).
Building with GCC 7 produces an error building rpcgen:
rpc_parse.c: In function 'get_prog_declaration':
rpc_parse.c:543:25: error: may write a terminating nul past the end of the
destination [-Werror=format-length=]
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
~~~~^
rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a
destination of size 10
sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That buffer overrun is for the case where the .x file declares a
program with a million arguments. The strcpy two lines above can
generate a buffer overrun much more simply for a long argument name.
The limit on length of line read by rpcgen (MAXLINESIZE == 1024)
provides a bound on the buffer size needed, so this patch just changes
the buffer size to MAXLINESIZE to avoid both possible buffer
overruns. A testcase is added that rpcgen does not crash with a
500-character argument name, where it previously crashed.
It would not at all surprise me if there are many other ways of
crashing rpcgen with either valid or invalid input; fuzz testing would
likely find various such bugs, though I don't think they are that
important to fix (rpcgen is not that likely to be used with untrusted
.x files as input). (As well as fuzz-findable bugs there are probably
also issues when various int variables get overflowed on very large
input.) The test infrastructure for rpcgen-not-crashing tests would
need extending if tests are to be added for cases where rpcgen should
produce an error, as opposed to cases where it should succeed.
Tested for x86_64 and x86.
[BZ #20790]
* sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size
to MAXLINESIZE.
* sunrpc/bug20790.x: New file.
* sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New
variable.
[$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests).
[$(run-built-tests) = yes] ($(rpcgen-tests)): New rule.
(cherry picked from commit 5874510faaf3cbd0bb112aaacab9f225002beed1)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 11 +++++++++++
NEWS | 1 +
sunrpc/Makefile | 11 +++++++++++
sunrpc/bug20790.x | 1 +
sunrpc/rpc_parse.c | 2 +-
5 files changed, 25 insertions(+), 1 deletions(-)
create mode 100644 sunrpc/bug20790.x
--
You are receiving this mail because:
You are on the CC list for the bug.