Subject: lib/21014: Bug in lib/libc/rpc/svc_simple.c
To: None <gnats-bugs@gnats.netbsd.org>
From: None <pugs@ieee.org>
List: netbsd-bugs
Date: 04/04/2003 17:12:03
>Number:         21014
>Category:       lib
>Synopsis:       Failure to clear buffer causes fault in xdr_string
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 04 19:12:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Tom Lyon
>Release:        NetBSD 1.6
>Organization:
	
>Environment:
	
	
System: NetBSD nb.lyon-about.com 1.6 NetBSD 1.6 (GENERIC) #14: Thu Apr 3 15:06:15 PST 2003 pugs@nb.lyon-about.com:/opt/nbsrc/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	An incorrect argument to memset, involving a sizeof that shouldn't have
	been there, caused a buffer not to be fully zeroed, which then caused
	xdr_string to crash when trying to free a string from an RPC decode
	buffer - but the string pointer was just garbage from not being zeroed.
>How-To-Repeat:
	Create a simple RPC service using strings as any but the first argument
>Fix:
	Change line 280 of lib/libc/rpc/svc_simple.c from
			(void) memset(xdrbuf, 0, sizeof (pl->p_recvsz);
	to
			(void) memset(xdrbuf, 0, (unsigned)pl->p_recvsz);
>Release-Note:
>Audit-Trail:
>Unformatted: