Subject: lib/21014: Bug in lib/libc/rpc/svc_simple.c
To: None <>
From: None <>
List: netbsd-bugs
Date: 04/04/2003 17:12:03
>Number:         21014
>Category:       lib
>Synopsis:       Failure to clear buffer causes fault in xdr_string
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 04 19:12:00 PST 2003
>Originator:     Tom Lyon
>Release:        NetBSD 1.6
System: NetBSD 1.6 NetBSD 1.6 (GENERIC) #14: Thu Apr 3 15:06:15 PST 2003 i386
Architecture: i386
Machine: i386
	An incorrect argument to memset, involving a sizeof that shouldn't have
	been there, caused a buffer not to be fully zeroed, which then caused
	xdr_string to crash when trying to free a string from an RPC decode
	buffer - but the string pointer was just garbage from not being zeroed.
	Create a simple RPC service using strings as any but the first argument
	Change line 280 of lib/libc/rpc/svc_simple.c from
			(void) memset(xdrbuf, 0, sizeof (pl->p_recvsz);
			(void) memset(xdrbuf, 0, (unsigned)pl->p_recvsz);