MFC r317660, r317710

r317660:
Support clnt_raw's use of FD_SETSIZE as a fake file descriptor.

Accomplish this by allocating space for it in __svc_xports and allowing
it to be registered.  The failure to allocate space was causing an
out-of-bounds read in svc_getreq_common().  The failure to register
caused PR 211804.

The bug was found with CHERI bounds checking.

PR:		211804
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Reviewed by:	ngie
Differential Revision:	https://reviews.freebsd.org/D10528

r317710:
Remove expected failure now that it was fixed in r317660.

PR:		211804
Reviewed by:	ngie
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D10576

1 files changed, 6 insertions, 4 deletions

diff --git a/lib/libc/rpc/svc.c b/lib/libc/rpc/svc.c
index d68fa9f..de80a69 100644
--- a/lib/libc/rpc/svc.c
+++ b/lib/libc/rpc/svc.c
@@ -108,18 +108,19 @@ xprt_register(SVCXPRT *xprt)
 	rwlock_wrlock(&svc_fd_lock);
 	if (__svc_xports == NULL) {
 		__svc_xports = (SVCXPRT **)
-			mem_alloc(FD_SETSIZE * sizeof(SVCXPRT *));
+			mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *));
 		if (__svc_xports == NULL) {
 			rwlock_unlock(&svc_fd_lock);
 			return;
 		}
-		memset(__svc_xports, '\0', FD_SETSIZE * sizeof(SVCXPRT *));
+		memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *));
 	}
 	if (sock < FD_SETSIZE) {
 		__svc_xports[sock] = xprt;
 		FD_SET(sock, &svc_fdset);
 		svc_maxfd = max(svc_maxfd, sock);
-	}
+	} else if (sock == FD_SETSIZE)
+		__svc_xports[sock] = xprt;
 	rwlock_unlock(&svc_fd_lock);
 }
 
@@ -157,7 +158,8 @@ __xprt_do_unregister(SVCXPRT *xprt, bool_t dolock)
 				if (__svc_xports[svc_maxfd])
 					break;
 		}
-	}
+	} else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt))
+		__svc_xports[sock] = NULL;
 	if (dolock)
 		rwlock_unlock(&svc_fd_lock);
 }