freebsd-nq/lib/libc/rpc/svc.c
Brooks Davis efa2501ed6 Support clnt_raw's use of FD_SETSIZE as a fake file descriptor.
Accomplish this by allocating space for it in __svc_xports and allowing
it to be registered.  The failure to allocate space was causing an
out-of-bounds read in svc_getreq_common().  The failure to register
caused PR 211804.

The bug was found with CHERI bounds checking.

PR:		211804
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Reviewed by:	ngie
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D10528
2017-05-01 20:04:07 +00:00

762 lines
18 KiB
C

/* $NetBSD: svc.c,v 1.21 2000/07/06 03:10:35 christos Exp $ */
/*-
* Copyright (c) 2009, Sun Microsystems, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* - Neither the name of Sun Microsystems, Inc. nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char *sccsid2 = "@(#)svc.c 1.44 88/02/08 Copyr 1984 Sun Micro";
static char *sccsid = "@(#)svc.c 2.4 88/08/11 4.0 RPCSRC";
#endif
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
/*
* svc.c, Server-side remote procedure call interface.
*
* There are two sets of procedures here. The xprt routines are
* for handling transport handles. The svc routines handle the
* list of service routines.
*
* Copyright (C) 1984, Sun Microsystems, Inc.
*/
#include "namespace.h"
#include "reentrant.h"
#include <sys/types.h>
#include <sys/poll.h>
#include <assert.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <rpc/rpc.h>
#ifdef PORTMAP
#include <rpc/pmap_clnt.h>
#endif /* PORTMAP */
#include "un-namespace.h"
#include "rpc_com.h"
#include "mt_misc.h"
#define RQCRED_SIZE 400 /* this size is excessive */
#define SVC_VERSQUIET 0x0001 /* keep quiet about vers mismatch */
#define version_keepquiet(xp) (SVC_EXT(xp)->xp_flags & SVC_VERSQUIET)
#define max(a, b) (a > b ? a : b)
/*
* The services list
* Each entry represents a set of procedures (an rpc program).
* The dispatch routine takes request structs and runs the
* appropriate procedure.
*/
static struct svc_callout {
struct svc_callout *sc_next;
rpcprog_t sc_prog;
rpcvers_t sc_vers;
char *sc_netid;
void (*sc_dispatch)(struct svc_req *, SVCXPRT *);
} *svc_head;
SVCXPRT **__svc_xports;
int __svc_maxrec;
static struct svc_callout *svc_find(rpcprog_t, rpcvers_t,
struct svc_callout **, char *);
static void __xprt_do_unregister (SVCXPRT *xprt, bool_t dolock);
/* *************** SVCXPRT related stuff **************** */
/*
* Activate a transport handle.
*/
void
xprt_register(SVCXPRT *xprt)
{
int sock;
assert(xprt != NULL);
sock = xprt->xp_fd;
rwlock_wrlock(&svc_fd_lock);
if (__svc_xports == NULL) {
__svc_xports = (SVCXPRT **)
mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *));
if (__svc_xports == NULL) {
rwlock_unlock(&svc_fd_lock);
return;
}
memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *));
}
if (sock < FD_SETSIZE) {
__svc_xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
svc_maxfd = max(svc_maxfd, sock);
} else if (sock == FD_SETSIZE)
__svc_xports[sock] = xprt;
rwlock_unlock(&svc_fd_lock);
}
void
xprt_unregister(SVCXPRT *xprt)
{
__xprt_do_unregister(xprt, TRUE);
}
void
__xprt_unregister_unlocked(SVCXPRT *xprt)
{
__xprt_do_unregister(xprt, FALSE);
}
/*
* De-activate a transport handle.
*/
static void
__xprt_do_unregister(SVCXPRT *xprt, bool_t dolock)
{
int sock;
assert(xprt != NULL);
sock = xprt->xp_fd;
if (dolock)
rwlock_wrlock(&svc_fd_lock);
if ((sock < FD_SETSIZE) && (__svc_xports[sock] == xprt)) {
__svc_xports[sock] = NULL;
FD_CLR(sock, &svc_fdset);
if (sock >= svc_maxfd) {
for (svc_maxfd--; svc_maxfd>=0; svc_maxfd--)
if (__svc_xports[svc_maxfd])
break;
}
} else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt))
__svc_xports[sock] = NULL;
if (dolock)
rwlock_unlock(&svc_fd_lock);
}
/*
* Add a service program to the callout list.
* The dispatch routine will be called when a rpc request for this
* program number comes in.
*/
bool_t
svc_reg(SVCXPRT *xprt, const rpcprog_t prog, const rpcvers_t vers,
void (*dispatch)(struct svc_req *, SVCXPRT *),
const struct netconfig *nconf)
{
bool_t dummy;
struct svc_callout *prev;
struct svc_callout *s;
struct netconfig *tnconf;
char *netid = NULL;
int flag = 0;
/* VARIABLES PROTECTED BY svc_lock: s, prev, svc_head */
if (xprt->xp_netid) {
netid = strdup(xprt->xp_netid);
flag = 1;
} else if (nconf && nconf->nc_netid) {
netid = strdup(nconf->nc_netid);
flag = 1;
} else if ((tnconf = __rpcgettp(xprt->xp_fd)) != NULL) {
netid = strdup(tnconf->nc_netid);
flag = 1;
freenetconfigent(tnconf);
} /* must have been created with svc_raw_create */
if ((netid == NULL) && (flag == 1)) {
return (FALSE);
}
rwlock_wrlock(&svc_lock);
if ((s = svc_find(prog, vers, &prev, netid)) != NULL) {
free(netid);
if (s->sc_dispatch == dispatch)
goto rpcb_it; /* he is registering another xptr */
rwlock_unlock(&svc_lock);
return (FALSE);
}
s = mem_alloc(sizeof (struct svc_callout));
if (s == NULL) {
free(netid);
rwlock_unlock(&svc_lock);
return (FALSE);
}
s->sc_prog = prog;
s->sc_vers = vers;
s->sc_dispatch = dispatch;
s->sc_netid = netid;
s->sc_next = svc_head;
svc_head = s;
if ((xprt->xp_netid == NULL) && (flag == 1) && netid)
((SVCXPRT *) xprt)->xp_netid = strdup(netid);
rpcb_it:
rwlock_unlock(&svc_lock);
/* now register the information with the local binder service */
if (nconf) {
/*LINTED const castaway*/
dummy = rpcb_set(prog, vers, (struct netconfig *) nconf,
&((SVCXPRT *) xprt)->xp_ltaddr);
return (dummy);
}
return (TRUE);
}
/*
* Remove a service program from the callout list.
*/
void
svc_unreg(const rpcprog_t prog, const rpcvers_t vers)
{
struct svc_callout *prev;
struct svc_callout *s;
/* unregister the information anyway */
(void) rpcb_unset(prog, vers, NULL);
rwlock_wrlock(&svc_lock);
while ((s = svc_find(prog, vers, &prev, NULL)) != NULL) {
if (prev == NULL) {
svc_head = s->sc_next;
} else {
prev->sc_next = s->sc_next;
}
s->sc_next = NULL;
if (s->sc_netid)
mem_free(s->sc_netid, sizeof (s->sc_netid) + 1);
mem_free(s, sizeof (struct svc_callout));
}
rwlock_unlock(&svc_lock);
}
/* ********************** CALLOUT list related stuff ************* */
#ifdef PORTMAP
/*
* Add a service program to the callout list.
* The dispatch routine will be called when a rpc request for this
* program number comes in.
*/
bool_t
svc_register(SVCXPRT *xprt, u_long prog, u_long vers,
void (*dispatch)(struct svc_req *, SVCXPRT *),
int protocol)
{
struct svc_callout *prev;
struct svc_callout *s;
assert(xprt != NULL);
assert(dispatch != NULL);
if ((s = svc_find((rpcprog_t)prog, (rpcvers_t)vers, &prev, NULL)) !=
NULL) {
if (s->sc_dispatch == dispatch)
goto pmap_it; /* he is registering another xptr */
return (FALSE);
}
s = mem_alloc(sizeof(struct svc_callout));
if (s == NULL) {
return (FALSE);
}
s->sc_prog = (rpcprog_t)prog;
s->sc_vers = (rpcvers_t)vers;
s->sc_dispatch = dispatch;
s->sc_next = svc_head;
svc_head = s;
pmap_it:
/* now register the information with the local binder service */
if (protocol) {
return (pmap_set(prog, vers, protocol, xprt->xp_port));
}
return (TRUE);
}
/*
* Remove a service program from the callout list.
*/
void
svc_unregister(u_long prog, u_long vers)
{
struct svc_callout *prev;
struct svc_callout *s;
if ((s = svc_find((rpcprog_t)prog, (rpcvers_t)vers, &prev, NULL)) ==
NULL)
return;
if (prev == NULL) {
svc_head = s->sc_next;
} else {
prev->sc_next = s->sc_next;
}
s->sc_next = NULL;
mem_free(s, sizeof(struct svc_callout));
/* now unregister the information with the local binder service */
(void)pmap_unset(prog, vers);
}
#endif /* PORTMAP */
/*
* Search the callout list for a program number, return the callout
* struct.
*/
static struct svc_callout *
svc_find(rpcprog_t prog, rpcvers_t vers, struct svc_callout **prev,
char *netid)
{
struct svc_callout *s, *p;
assert(prev != NULL);
p = NULL;
for (s = svc_head; s != NULL; s = s->sc_next) {
if (((s->sc_prog == prog) && (s->sc_vers == vers)) &&
((netid == NULL) || (s->sc_netid == NULL) ||
(strcmp(netid, s->sc_netid) == 0)))
break;
p = s;
}
*prev = p;
return (s);
}
/* ******************* REPLY GENERATION ROUTINES ************ */
/*
* Send a reply to an rpc request
*/
bool_t
svc_sendreply(SVCXPRT *xprt, xdrproc_t xdr_results,
void * xdr_location)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = SUCCESS;
rply.acpted_rply.ar_results.where = xdr_location;
rply.acpted_rply.ar_results.proc = xdr_results;
return (SVC_REPLY(xprt, &rply));
}
/*
* No procedure error reply
*/
void
svcerr_noproc(SVCXPRT *xprt)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROC_UNAVAIL;
SVC_REPLY(xprt, &rply);
}
/*
* Can't decode args error reply
*/
void
svcerr_decode(SVCXPRT *xprt)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = GARBAGE_ARGS;
SVC_REPLY(xprt, &rply);
}
/*
* Some system error
*/
void
svcerr_systemerr(SVCXPRT *xprt)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = SYSTEM_ERR;
SVC_REPLY(xprt, &rply);
}
#if 0
/*
* Tell RPC package to not complain about version errors to the client. This
* is useful when revving broadcast protocols that sit on a fixed address.
* There is really one (or should be only one) example of this kind of
* protocol: the portmapper (or rpc binder).
*/
void
__svc_versquiet_on(SVCXPRT *xprt)
{
SVC_EXT(xprt)->xp_flags |= SVC_VERSQUIET;
}
void
__svc_versquiet_off(SVCXPRT *xprt)
{
SVC_EXT(xprt)->xp_flags &= ~SVC_VERSQUIET;
}
void
svc_versquiet(SVCXPRT *xprt)
{
__svc_versquiet_on(xprt);
}
int
__svc_versquiet_get(SVCXPRT *xprt)
{
return (SVC_EXT(xprt)->xp_flags & SVC_VERSQUIET);
}
#endif
/*
* Authentication error reply
*/
void
svcerr_auth(SVCXPRT *xprt, enum auth_stat why)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_DENIED;
rply.rjcted_rply.rj_stat = AUTH_ERROR;
rply.rjcted_rply.rj_why = why;
SVC_REPLY(xprt, &rply);
}
/*
* Auth too weak error reply
*/
void
svcerr_weakauth(SVCXPRT *xprt)
{
assert(xprt != NULL);
svcerr_auth(xprt, AUTH_TOOWEAK);
}
/*
* Program unavailable error reply
*/
void
svcerr_noprog(SVCXPRT *xprt)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROG_UNAVAIL;
SVC_REPLY(xprt, &rply);
}
/*
* Program version mismatch error reply
*/
void
svcerr_progvers(SVCXPRT *xprt, rpcvers_t low_vers, rpcvers_t high_vers)
{
struct rpc_msg rply;
assert(xprt != NULL);
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROG_MISMATCH;
rply.acpted_rply.ar_vers.low = (u_int32_t)low_vers;
rply.acpted_rply.ar_vers.high = (u_int32_t)high_vers;
SVC_REPLY(xprt, &rply);
}
/*
* Allocate a new server transport structure. All fields are
* initialized to zero and xp_p3 is initialized to point at an
* extension structure to hold various flags and authentication
* parameters.
*/
SVCXPRT *
svc_xprt_alloc(void)
{
SVCXPRT *xprt;
SVCXPRT_EXT *ext;
xprt = mem_alloc(sizeof(SVCXPRT));
if (xprt == NULL)
return (NULL);
memset(xprt, 0, sizeof(SVCXPRT));
ext = mem_alloc(sizeof(SVCXPRT_EXT));
if (ext == NULL) {
mem_free(xprt, sizeof(SVCXPRT));
return (NULL);
}
memset(ext, 0, sizeof(SVCXPRT_EXT));
xprt->xp_p3 = ext;
ext->xp_auth.svc_ah_ops = &svc_auth_null_ops;
return (xprt);
}
/*
* Free a server transport structure.
*/
void
svc_xprt_free(SVCXPRT *xprt)
{
mem_free(xprt->xp_p3, sizeof(SVCXPRT_EXT));
mem_free(xprt, sizeof(SVCXPRT));
}
/* ******************* SERVER INPUT STUFF ******************* */
/*
* Get server side input from some transport.
*
* Statement of authentication parameters management:
* This function owns and manages all authentication parameters, specifically
* the "raw" parameters (msg.rm_call.cb_cred and msg.rm_call.cb_verf) and
* the "cooked" credentials (rqst->rq_clntcred).
* However, this function does not know the structure of the cooked
* credentials, so it make the following assumptions:
* a) the structure is contiguous (no pointers), and
* b) the cred structure size does not exceed RQCRED_SIZE bytes.
* In all events, all three parameters are freed upon exit from this routine.
* The storage is trivially management on the call stack in user land, but
* is mallocated in kernel land.
*/
void
svc_getreq(int rdfds)
{
fd_set readfds;
FD_ZERO(&readfds);
readfds.fds_bits[0] = rdfds;
svc_getreqset(&readfds);
}
void
svc_getreqset(fd_set *readfds)
{
int bit, fd;
fd_mask mask, *maskp;
int sock;
assert(readfds != NULL);
maskp = readfds->fds_bits;
for (sock = 0; sock < FD_SETSIZE; sock += NFDBITS) {
for (mask = *maskp++; (bit = ffsl(mask)) != 0;
mask ^= (1ul << (bit - 1))) {
/* sock has input waiting */
fd = sock + bit - 1;
svc_getreq_common(fd);
}
}
}
void
svc_getreq_common(int fd)
{
SVCXPRT *xprt;
struct svc_req r;
struct rpc_msg msg;
int prog_found;
rpcvers_t low_vers;
rpcvers_t high_vers;
enum xprt_stat stat;
char cred_area[2*MAX_AUTH_BYTES + RQCRED_SIZE];
msg.rm_call.cb_cred.oa_base = cred_area;
msg.rm_call.cb_verf.oa_base = &(cred_area[MAX_AUTH_BYTES]);
r.rq_clntcred = &(cred_area[2*MAX_AUTH_BYTES]);
rwlock_rdlock(&svc_fd_lock);
xprt = __svc_xports[fd];
rwlock_unlock(&svc_fd_lock);
if (xprt == NULL)
/* But do we control sock? */
return;
/* now receive msgs from xprtprt (support batch calls) */
do {
if (SVC_RECV(xprt, &msg)) {
/* now find the exported program and call it */
struct svc_callout *s;
enum auth_stat why;
r.rq_xprt = xprt;
r.rq_prog = msg.rm_call.cb_prog;
r.rq_vers = msg.rm_call.cb_vers;
r.rq_proc = msg.rm_call.cb_proc;
r.rq_cred = msg.rm_call.cb_cred;
/* first authenticate the message */
if ((why = _authenticate(&r, &msg)) != AUTH_OK) {
/*
* RPCSEC_GSS uses this return code
* for requests that form part of its
* context establishment protocol and
* should not be dispatched to the
* application.
*/
if (why != RPCSEC_GSS_NODISPATCH)
svcerr_auth(xprt, why);
goto call_done;
}
/* now match message with a registered service*/
prog_found = FALSE;
low_vers = (rpcvers_t) -1L;
high_vers = (rpcvers_t) 0L;
for (s = svc_head; s != NULL; s = s->sc_next) {
if (s->sc_prog == r.rq_prog) {
if (s->sc_vers == r.rq_vers) {
(*s->sc_dispatch)(&r, xprt);
goto call_done;
} /* found correct version */
prog_found = TRUE;
if (s->sc_vers < low_vers)
low_vers = s->sc_vers;
if (s->sc_vers > high_vers)
high_vers = s->sc_vers;
} /* found correct program */
}
/*
* if we got here, the program or version
* is not served ...
*/
if (prog_found)
svcerr_progvers(xprt, low_vers, high_vers);
else
svcerr_noprog(xprt);
/* Fall through to ... */
}
/*
* Check if the xprt has been disconnected in a
* recursive call in the service dispatch routine.
* If so, then break.
*/
rwlock_rdlock(&svc_fd_lock);
if (xprt != __svc_xports[fd]) {
rwlock_unlock(&svc_fd_lock);
break;
}
rwlock_unlock(&svc_fd_lock);
call_done:
if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
SVC_DESTROY(xprt);
break;
}
} while (stat == XPRT_MOREREQS);
}
void
svc_getreq_poll(struct pollfd *pfdp, int pollretval)
{
int i;
int fds_found;
for (i = fds_found = 0; fds_found < pollretval; i++) {
struct pollfd *p = &pfdp[i];
if (p->revents) {
/* fd has input waiting */
fds_found++;
/*
* We assume that this function is only called
* via someone _select()ing from svc_fdset or
* _poll()ing from svc_pollset[]. Thus it's safe
* to handle the POLLNVAL event by simply turning
* the corresponding bit off in svc_fdset. The
* svc_pollset[] array is derived from svc_fdset
* and so will also be updated eventually.
*
* XXX Should we do an xprt_unregister() instead?
*/
if (p->revents & POLLNVAL) {
rwlock_wrlock(&svc_fd_lock);
FD_CLR(p->fd, &svc_fdset);
rwlock_unlock(&svc_fd_lock);
} else
svc_getreq_common(p->fd);
}
}
}
bool_t
rpc_control(int what, void *arg)
{
int val;
switch (what) {
case RPC_SVC_CONNMAXREC_SET:
val = *(int *)arg;
if (val <= 0)
return FALSE;
__svc_maxrec = val;
return TRUE;
case RPC_SVC_CONNMAXREC_GET:
*(int *)arg = __svc_maxrec;
return TRUE;
default:
break;
}
return FALSE;
}