>Number:         10487
>Category:       bin
>Synopsis:       rpcbind crashes on  pmax
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 30 07:54:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Christian Riede
>Release:        1.5_ALPHA
>Organization:
Akaflieg Karlsruhe e.V.
>Environment:
chr@akfv1(~)$ uname -a
NetBSD akfv1 1.5_ALPHA NetBSD 1.5_ALPHA (AKAFLIEG) #3: Sun Jul 11 17:22:09 CET 1976     chr@akfds2:/usr/src/sys/arch/pmax/compile/AKAFLIEG pmax

>Description:
rpcbind crashes with SIGSEV in:
rpcb_svc_com.c: unmodified, readonly: line 451 of 1458
because of a null pointer in cap->rmt_uaddr used as first argument to sscanf().



>How-To-Repeat:
Run rpcbind and wait. Possibly an old DECSystem 5500 under Ultrix 4.3 
in the same subnet using the NetBSD system as nis and nfs server 
could cause the problem:

chr@akfds3(~)$ uname -a
ULTRIX akfds3 4.3 1 RISC unknown

Coredump of rpcbind can be provided O/R



>Fix:
root@akfds1(/usr/src/usr.sbin/rpcbind)# cvs diff rpcb_svc_com.c
Index: rpcb_svc_com.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/rpcbind/rpcb_svc_com.c,v
retrieving revision 1.1.2.1
diff -r1.1.2.1 rpcb_svc_com.c
451,452c451,454
<               if (sscanf(cap->rmt_uaddr, "%d.%d.%d.%d.%d.%d",
<                       &h1, &h2, &h3, &h4, &p1, &p2) != 6)
---
> /* C.R. Bugfix: check for NULL pointer cap->rmt_uaddr */
>               if ((!cap->rmt_uaddr ||
>                       sscanf(cap->rmt_uaddr, "%d.%d.%d.%d.%d.%d",
>                       &h1, &h2, &h3, &h4, &p1, &p2) != 6))
root@akfds1(/usr/src/usr.sbin/rpcbind)#


>Release-Note:
>Audit-Trail:
>Unformatted: