Subject: lib/21014: Bug in lib/libc/rpc/svc_simple.c
To: None <gnats-bugs@gnats.netbsd.org>
From: None <pugs@ieee.org>
List: netbsd-bugs
Date: 04/04/2003 17:12:03
>Number: 21014
>Category: lib
>Synopsis: Failure to clear buffer causes fault in xdr_string
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 04 19:12:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Tom Lyon
>Release: NetBSD 1.6
>Organization:
>Environment:
System: NetBSD nb.lyon-about.com 1.6 NetBSD 1.6 (GENERIC) #14: Thu Apr 3 15:06:15 PST 2003 pugs@nb.lyon-about.com:/opt/nbsrc/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
An incorrect argument to memset, involving a sizeof that shouldn't have
been there, caused a buffer not to be fully zeroed, which then caused
xdr_string to crash when trying to free a string from an RPC decode
buffer - but the string pointer was just garbage from not being zeroed.
>How-To-Repeat:
Create a simple RPC service using strings as any but the first argument
>Fix:
Change line 280 of lib/libc/rpc/svc_simple.c from
(void) memset(xdrbuf, 0, sizeof (pl->p_recvsz);
to
(void) memset(xdrbuf, 0, (unsigned)pl->p_recvsz);
>Release-Note:
>Audit-Trail:
>Unformatted: