diff options
author | brooks <brooks@FreeBSD.org> | 2017-05-15 22:41:01 +0000 |
---|---|---|
committer | brooks <brooks@FreeBSD.org> | 2017-05-15 22:41:01 +0000 |
commit | 83379d6a8d78669552953e860ff82b47ee49d390 (patch) | |
tree | d1a72a78a86c411d86c3586afd00eb8b5befc302 /lib | |
parent | f01e7bdca8673da4c93750765c20f2446363910c (diff) | |
download | FreeBSD-src-83379d6a8d78669552953e860ff82b47ee49d390.zip FreeBSD-src-83379d6a8d78669552953e860ff82b47ee49d390.tar.gz |
MFC r317660, r317710
r317660:
Support clnt_raw's use of FD_SETSIZE as a fake file descriptor.
Accomplish this by allocating space for it in __svc_xports and allowing
it to be registered. The failure to allocate space was causing an
out-of-bounds read in svc_getreq_common(). The failure to register
caused PR 211804.
The bug was found with CHERI bounds checking.
PR: 211804
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D10528
r317710:
Remove expected failure now that it was fixed in r317660.
PR: 211804
Reviewed by: ngie
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D10576
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/rpc/svc.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/libc/rpc/svc.c b/lib/libc/rpc/svc.c index 507d2e2..a002216 100644 --- a/lib/libc/rpc/svc.c +++ b/lib/libc/rpc/svc.c @@ -108,18 +108,19 @@ xprt_register(SVCXPRT *xprt) rwlock_wrlock(&svc_fd_lock); if (__svc_xports == NULL) { __svc_xports = (SVCXPRT **) - mem_alloc(FD_SETSIZE * sizeof(SVCXPRT *)); + mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *)); if (__svc_xports == NULL) { rwlock_unlock(&svc_fd_lock); return; } - memset(__svc_xports, '\0', FD_SETSIZE * sizeof(SVCXPRT *)); + memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *)); } if (sock < FD_SETSIZE) { __svc_xports[sock] = xprt; FD_SET(sock, &svc_fdset); svc_maxfd = max(svc_maxfd, sock); - } + } else if (sock == FD_SETSIZE) + __svc_xports[sock] = xprt; rwlock_unlock(&svc_fd_lock); } @@ -157,7 +158,8 @@ __xprt_do_unregister(SVCXPRT *xprt, bool_t dolock) if (__svc_xports[svc_maxfd]) break; } - } + } else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt)) + __svc_xports[sock] = NULL; if (dolock) rwlock_unlock(&svc_fd_lock); } |