From ed6b0fe710b631b99ed9fc28cefedfe69a16dc55 Mon Sep 17 00:00:00 2001 From: Brad Hubbard Date: Wed, 18 Mar 2015 14:51:26 +0530 Subject: [PATCH] Use calloc to allocate xports (BZ #17542) If xports is NULL in xprt_register we malloc it but if sock > _rpc_dtablesize() that memory does not get initialised and may in theory contain any value. Later we make a conditional jump in svc_getreq_common based on the uninitialised memory and this caused a general protection fault in rpc.statd on an older version of glibc but this code has not changed since that version. Following is the valgrind warning. ==26802== Conditional jump or move depends on uninitialised value(s) ==26802== at 0x5343A25: svc_getreq_common (in /lib64/libc-2.5.so) ==26802== by 0x534357B: svc_getreqset (in /lib64/libc-2.5.so) ==26802== by 0x10DE1F: ??? (in /sbin/rpc.statd) ==26802== by 0x10D0EF: main (in /sbin/rpc.statd) ==26802== Uninitialised value was created by a heap allocation ==26802== at 0x4C2210C: malloc (vg_replace_malloc.c:195) ==26802== by 0x53438BE: xprt_register (in /lib64/libc-2.5.so) ==26802== by 0x53450DF: svcudp_bufcreate (in /lib64/libc-2.5.so) ==26802== by 0x10FE32: ??? (in /sbin/rpc.statd) ==26802== by 0x10D13E: main (in /sbin/rpc.statd) --- ChangeLog | 5 +++++ NEWS | 11 +++++------ sunrpc/svc.c | 4 ++-- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6bca61bf18..2df497fb29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2015-03-18 Brad Hubbard + + [BZ #17542] + * sunrpc/svc.c (xprt_register): Use calloc to allocate xports. + 2015-03-17 Alexandre Oliva [BZ #17090] diff --git a/NEWS b/NEWS index 86394b8d06..4e1e661864 100644 --- a/NEWS +++ b/NEWS @@ -10,12 +10,11 @@ Version 2.22 * The following bugs are resolved with this release: 4719, 13064, 14094, 14841, 14906, 15319, 15467, 15790, 15969, 16351, - 16512, 16560, 16783, 17090, 17269, 17523, 17569, 17588, 17620, 17621, - 17628, 17631, 17711, 17776, 17779, 17792, 17836, 17912, 17916, 17932, - 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, 17991, 17996, - 17998, 17999, 18019, 18020, 18029, 18030, 18032, 18036, 18038, 18039, - 18042, 18043, 18046, 18047, 18068, 18080, 18093, 18104, 18110, 18111, - 18128. + 16512, 16560, 16783, 17269, 17523, 17542, 17569, 17588, 17631, 17711, + 17776, 17779, 17792, 17836, 17912, 17916, 17932, 17944, 17949, 17964, + 17965, 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, + 18020, 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, + 18047, 18068, 18080, 18093, 18104, 18110, 18111. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/sunrpc/svc.c b/sunrpc/svc.c index 8c4e8a5c72..c6ccf10c7c 100644 --- a/sunrpc/svc.c +++ b/sunrpc/svc.c @@ -97,8 +97,8 @@ xprt_register (SVCXPRT *xprt) if (xports == NULL) { - xports = (SVCXPRT **) malloc (_rpc_dtablesize () * sizeof (SVCXPRT *)); - if (xports == NULL) /* Donīt add handle */ + xports = (SVCXPRT **) calloc (_rpc_dtablesize (), sizeof (SVCXPRT *)); + if (xports == NULL) /* Don't add handle */ return; }