about summary refs log tree commit diff
path: root/sunrpc/bug20790.x
diff options
context:
space:
mode:
authorJoseph Myers <joseph@codesourcery.com>2016-11-08 23:44:51 +0000
committerJoseph Myers <joseph@codesourcery.com>2016-11-08 23:44:51 +0000
commit5874510faaf3cbd0bb112aaacab9f225002beed1 (patch)
tree715525d323256065690c763c09b88bd11ba52a72 /sunrpc/bug20790.x
parent116ae4fe5a70d99cf06088f0222a5913996f7f70 (diff)
downloadglibc-5874510faaf3cbd0bb112aaacab9f225002beed1.tar.gz
glibc-5874510faaf3cbd0bb112aaacab9f225002beed1.tar.xz
glibc-5874510faaf3cbd0bb112aaacab9f225002beed1.zip
Fix rpcgen buffer overrun (bug 20790).
Building with GCC 7 produces an error building rpcgen:

rpc_parse.c: In function 'get_prog_declaration':
rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=]
     sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
                     ~~~~^
rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10
     sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That buffer overrun is for the case where the .x file declares a
program with a million arguments.  The strcpy two lines above can
generate a buffer overrun much more simply for a long argument name.

The limit on length of line read by rpcgen (MAXLINESIZE == 1024)
provides a bound on the buffer size needed, so this patch just changes
the buffer size to MAXLINESIZE to avoid both possible buffer
overruns.  A testcase is added that rpcgen does not crash with a
500-character argument name, where it previously crashed.

It would not at all surprise me if there are many other ways of
crashing rpcgen with either valid or invalid input; fuzz testing would
likely find various such bugs, though I don't think they are that
important to fix (rpcgen is not that likely to be used with untrusted
.x files as input).  (As well as fuzz-findable bugs there are probably
also issues when various int variables get overflowed on very large
input.)  The test infrastructure for rpcgen-not-crashing tests would
need extending if tests are to be added for cases where rpcgen should
produce an error, as opposed to cases where it should succeed.

Tested for x86_64 and x86.

	[BZ #20790]
	* sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size
	to MAXLINESIZE.
	* sunrpc/bug20790.x: New file.
	* sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New
	variable.
	[$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests).
	[$(run-built-tests) = yes] ($(rpcgen-tests)): New rule.
Diffstat (limited to 'sunrpc/bug20790.x')
-rw-r--r--sunrpc/bug20790.x1
1 files changed, 1 insertions, 0 deletions
diff --git a/sunrpc/bug20790.x b/sunrpc/bug20790.x
new file mode 100644
index 0000000000..a00c9b3830
--- /dev/null
+++ b/sunrpc/bug20790.x
@@ -0,0 +1 @@
+program TPROG { version TVERS { int FUNC(int aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) = 1; } = 1; } = 1;