d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support clnt_raw's use of FD_SETSIZE as a fake file descriptor.

Browse Source 
Accomplish this by allocating space for it in __svc_xports and allowing
it to be registered.  The failure to allocate space was causing an
out-of-bounds read in svc_getreq_common().  The failure to register
caused PR 211804.

The bug was found with CHERI bounds checking.

PR:		211804
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Reviewed by:	ngie
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D10528
This commit is contained in:
Brooks Davis 2017-05-01 20:04:07 +00:00
parent 4e352a4583
commit efa2501ed6
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/libc/rpc/svc.c
View File

@ -108,18 +108,19 @@ xprt_register(SVCXPRT *xprt)
rwlock_wrlock(&svc_fd_lock);
if (__svc_xports == NULL) {
__svc_xports = (SVCXPRT **)
mem_alloc(FD_SETSIZE * sizeof(SVCXPRT *));
mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *));
if (__svc_xports == NULL) {
rwlock_unlock(&svc_fd_lock);
return;
}
memset(__svc_xports, '\0', FD_SETSIZE * sizeof(SVCXPRT *));
memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *));
}
if (sock < FD_SETSIZE) {
__svc_xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
svc_maxfd = max(svc_maxfd, sock);
}
} else if (sock == FD_SETSIZE)
__svc_xports[sock] = xprt;
rwlock_unlock(&svc_fd_lock);
}
@ -157,7 +158,8 @@ __xprt_do_unregister(SVCXPRT *xprt, bool_t dolock)
if (__svc_xports[svc_maxfd])
break;
}
}
} else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt))
__svc_xports[sock] = NULL;
if (dolock)
rwlock_unlock(&svc_fd_lock);
}