lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-07 06:43:00 +03:00
Code Activity

Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.

Browse Source 
If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
gcc 11 dumps this warning:
svc_tcp.c: In function 'rendezvous_request':
svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
  274 |   memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

In out-of-memory case, if one of the mallocs in makefd_xprt function
returns NULL, a message is dumped, makefd_xprt returns NULL
and the subsequent memcpy would copy to NULL.

Instead of a segfaulting, we delay a bit (see also __svc_accept_failed
and Bug 14889 (CVE-2011-4609) - svc_run() produces high cpu usage when
accept() fails with EMFILE (CVE-2011-4609).

The same applies to svc_unix.c.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
This commit is contained in:
Stefan Liebler
2020-12-04 17:00:27 +01:00
parent 0d4ed9d40e
commit 4b2e40a925
4 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/rpc/svc.h
View File

@@ -38,6 +38,7 @@ libc_hidden_proto (svc_getreq_common)
libc_hidden_proto (svc_getreq_poll) libc_hidden_proto (svc_getreq_poll)
extern void __svc_accept_failed (void) attribute_hidden; extern void __svc_accept_failed (void) attribute_hidden;
extern void __svc_wait_on_error (void) attribute_hidden;
# endif /* !_ISOMAC */ # endif /* !_ISOMAC */
#endif #endif

10
sunrpc/svc.c
View File

@@ -545,6 +545,13 @@ svc_getreq_common (const int fd)
} }
libc_hidden_nolink_sunrpc (svc_getreq_common, GLIBC_2_2) libc_hidden_nolink_sunrpc (svc_getreq_common, GLIBC_2_2)
void
__svc_wait_on_error (void)
{
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
__nanosleep (&ts, NULL);
}
/* If there are no file descriptors available, then accept will fail. /* If there are no file descriptors available, then accept will fail.
We want to delay here so the connection request can be dequeued; We want to delay here so the connection request can be dequeued;
otherwise we can bounce between polling and accepting, never giving the otherwise we can bounce between polling and accepting, never giving the
@@ -555,8 +562,7 @@ __svc_accept_failed (void)
{ {
if (errno == EMFILE) if (errno == EMFILE)
{ {
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 }; __svc_wait_on_error ();
__nanosleep (&ts, NULL);
} }
} }

8
sunrpc/svc_tcp.c
View File

@@ -271,6 +271,14 @@ again:
* make a new transporter (re-uses xprt) * make a new transporter (re-uses xprt)
*/ */
xprt = makefd_xprt (sock, r->sendsize, r->recvsize); xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
/* If we are out of memory, makefd_xprt has already dumped an error. */
if (xprt == NULL)
{
__svc_wait_on_error ();
return FALSE;
}
memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
xprt->xp_addrlen = len; xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */ return FALSE; /* there is never an rpc msg to be processed */

8
sunrpc/svc_unix.c
View File

@@ -270,6 +270,14 @@ again:
memset (&in_addr, '\0', sizeof (in_addr)); memset (&in_addr, '\0', sizeof (in_addr));
in_addr.sin_family = AF_UNIX; in_addr.sin_family = AF_UNIX;
xprt = makefd_xprt (sock, r->sendsize, r->recvsize); xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
/* If we are out of memory, makefd_xprt has already dumped an error. */
if (xprt == NULL)
{
__svc_wait_on_error ();
return FALSE;
}
memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr)); memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
xprt->xp_addrlen = len; xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */ return FALSE; /* there is never an rpc msg to be processed */