From 4b2e40a9259fab08161e1c607b06a41e15d543dc Mon Sep 17 00:00:00 2001 From: Stefan Liebler Date: Fri, 4 Dec 2020 17:00:27 +0100 Subject: Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request. If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32), gcc 11 dumps this warning: svc_tcp.c: In function 'rendezvous_request': svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds] 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors In out-of-memory case, if one of the mallocs in makefd_xprt function returns NULL, a message is dumped, makefd_xprt returns NULL and the subsequent memcpy would copy to NULL. Instead of a segfaulting, we delay a bit (see also __svc_accept_failed and Bug 14889 (CVE-2011-4609) - svc_run() produces high cpu usage when accept() fails with EMFILE (CVE-2011-4609). The same applies to svc_unix.c. Reviewed-by: Adhemerval Zanella --- sunrpc/svc_unix.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'sunrpc/svc_unix.c') diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index e01afeabe6..3decea427c 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -270,6 +270,14 @@ again: memset (&in_addr, '\0', sizeof (in_addr)); in_addr.sin_family = AF_UNIX; xprt = makefd_xprt (sock, r->sendsize, r->recvsize); + + /* If we are out of memory, makefd_xprt has already dumped an error. */ + if (xprt == NULL) + { + __svc_wait_on_error (); + return FALSE; + } + memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr)); xprt->xp_addrlen = len; return FALSE; /* there is never an rpc msg to be processed */ -- cgit 1.4.1