summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorwpaul <wpaul@FreeBSD.org>1998-05-20 15:56:11 +0000
committerwpaul <wpaul@FreeBSD.org>1998-05-20 15:56:11 +0000
commite1b5e9c9781819d2174830fe15198a0d9e33d2c9 (patch)
treedbd7216c6fd996cedef0ac0a7a2714a360229fd7 /lib
parent3805b2e4dfb01009a8704e1e1aded12b3e345e5f (diff)
downloadFreeBSD-src-e1b5e9c9781819d2174830fe15198a0d9e33d2c9.zip
FreeBSD-src-e1b5e9c9781819d2174830fe15198a0d9e33d2c9.tar.gz
Change the sanity test here. It's not correct to assume that the record
size we receive here should fit into the receive buffer. Unfortunately, there's no 100% foolproof way to distinguish a ridiculously large record size that a client actually meant to send us from a ridiculously large record size that was sent as a spoof attempt. The one value that we can positively identify as bogus is zero. A zero-sized record makes absolutely no sense, and sending an endless supply of zeroes will cause the server to loop forever trying to fill its receive buffer. Note that the changes made to readtcp() make it okay to revert this sanity test since the deadlock case where a client can keep the server occupied forever in the readtcp() select() loop can't happen anymore. This solution is not ideal, but is relatively easy to implement. The ideal solution would be to re-arrange the way dispatching is handled so that the select() loop in readtcp() can be eliminated, but this is difficult to implement. I do plan to implement the complete solution eventually but in the meantime I don't want to leave the RPC library totally vulnerable. That you very much Sun, may I have another.
Diffstat (limited to 'lib')
-rw-r--r--lib/libc/xdr/xdr_rec.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/libc/xdr/xdr_rec.c b/lib/libc/xdr/xdr_rec.c
index 2919e28..b94b1ab 100644
--- a/lib/libc/xdr/xdr_rec.c
+++ b/lib/libc/xdr/xdr_rec.c
@@ -29,7 +29,7 @@
#if defined(LIBC_SCCS) && !defined(lint)
/*static char *sccsid = "from: @(#)xdr_rec.c 1.21 87/08/11 Copyr 1984 Sun Micro";*/
/*static char *sccsid = "from: @(#)xdr_rec.c 2.2 88/08/01 4.0 RPCSRC";*/
-static char *rcsid = "$Id: xdr_rec.c,v 1.8 1997/05/28 04:57:38 wpaul Exp $";
+static char *rcsid = "$Id: xdr_rec.c,v 1.9 1998/05/15 22:57:31 wpaul Exp $";
#endif
/*
@@ -552,9 +552,13 @@ set_input_fragment(rstrm)
rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE;
/*
* Sanity check. Try not to accept wildly incorrect
- * record sizes.
+ * record sizes. Unfortunately, the only record size
+ * we can positively identify as being 'wildly incorrect'
+ * is zero. Ridiculously large record sizes may look wrong,
+ * but we don't have any way to be certain that they aren't
+ * what the client actually intended to send us.
*/
- if ((header & (~LAST_FRAG)) > rstrm->recvsize)
+ if ((header & (~LAST_FRAG)) == 0)
return(FALSE);
rstrm->fbtbc = header & (~LAST_FRAG);
return (TRUE);
OpenPOWER on IntegriCloud