about summary refs log tree commit diff
path: root/sunrpc
diff options
context:
space:
mode:
authorBrad Hubbard <bhubbard@redhat.com>2015-03-18 14:51:26 +0530
committerSiddhesh Poyarekar <siddhesh@redhat.com>2015-03-18 14:51:26 +0530
commited6b0fe710b631b99ed9fc28cefedfe69a16dc55 (patch)
tree5b682e438c37f4be767bc25daf630e90b455451d /sunrpc
parentf8aeae347377f3dfa8cbadde057adf1827fb1d44 (diff)
downloadglibc-ed6b0fe710b631b99ed9fc28cefedfe69a16dc55.tar.gz
glibc-ed6b0fe710b631b99ed9fc28cefedfe69a16dc55.tar.xz
glibc-ed6b0fe710b631b99ed9fc28cefedfe69a16dc55.zip
Use calloc to allocate xports (BZ #17542)
If xports is NULL in xprt_register we malloc it but if sock >
_rpc_dtablesize() that memory does not get initialised and may in theory
contain any value. Later we make a conditional jump in svc_getreq_common
based on the uninitialised memory and this caused a general protection
fault in rpc.statd on an older version of glibc but this code has not
changed since that version.

Following is the valgrind warning.

==26802== Conditional jump or move depends on uninitialised value(s)
==26802==    at 0x5343A25: svc_getreq_common (in /lib64/libc-2.5.so)
==26802==    by 0x534357B: svc_getreqset (in /lib64/libc-2.5.so)
==26802==    by 0x10DE1F: ??? (in /sbin/rpc.statd)
==26802==    by 0x10D0EF: main (in /sbin/rpc.statd)
==26802==  Uninitialised value was created by a heap allocation
==26802==    at 0x4C2210C: malloc (vg_replace_malloc.c:195)
==26802==    by 0x53438BE: xprt_register (in /lib64/libc-2.5.so)
==26802==    by 0x53450DF: svcudp_bufcreate (in /lib64/libc-2.5.so)
==26802==    by 0x10FE32: ??? (in /sbin/rpc.statd)
==26802==    by 0x10D13E: main (in /sbin/rpc.statd)
Diffstat (limited to 'sunrpc')
-rw-r--r--sunrpc/svc.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sunrpc/svc.c b/sunrpc/svc.c
index 8c4e8a5c72..c6ccf10c7c 100644
--- a/sunrpc/svc.c
+++ b/sunrpc/svc.c
@@ -97,8 +97,8 @@ xprt_register (SVCXPRT *xprt)
 
   if (xports == NULL)
     {
-      xports = (SVCXPRT **) malloc (_rpc_dtablesize () * sizeof (SVCXPRT *));
-      if (xports == NULL) /* Donīt add handle */
+      xports = (SVCXPRT **) calloc (_rpc_dtablesize (), sizeof (SVCXPRT *));
+      if (xports == NULL) /* Don't add handle */
 	return;
     }