summaryrefslogtreecommitdiff
path: root/patches/glibc/2.13/920-fix-rpc_parse-format.patch
blob: 37e58dac6f6c4231e19c1c6a3328983929a333ff (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
commit 5874510faaf3cbd0bb112aaacab9f225002beed1
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Nov 8 23:44:51 2016 +0000

    Fix rpcgen buffer overrun (bug 20790).
    
    Building with GCC 7 produces an error building rpcgen:
    
    rpc_parse.c: In function 'get_prog_declaration':
    rpc_parse.c:543:25: error: may write a terminating nul past the end of the destination [-Werror=format-length=]
         sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
                         ~~~~^
    rpc_parse.c:543:5: note: format output between 5 and 14 bytes into a destination of size 10
         sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    That buffer overrun is for the case where the .x file declares a
    program with a million arguments.  The strcpy two lines above can
    generate a buffer overrun much more simply for a long argument name.
    
    The limit on length of line read by rpcgen (MAXLINESIZE == 1024)
    provides a bound on the buffer size needed, so this patch just changes
    the buffer size to MAXLINESIZE to avoid both possible buffer
    overruns.  A testcase is added that rpcgen does not crash with a
    500-character argument name, where it previously crashed.
    
    It would not at all surprise me if there are many other ways of
    crashing rpcgen with either valid or invalid input; fuzz testing would
    likely find various such bugs, though I don't think they are that
    important to fix (rpcgen is not that likely to be used with untrusted
    .x files as input).  (As well as fuzz-findable bugs there are probably
    also issues when various int variables get overflowed on very large
    input.)  The test infrastructure for rpcgen-not-crashing tests would
    need extending if tests are to be added for cases where rpcgen should
    produce an error, as opposed to cases where it should succeed.
    
    Tested for x86_64 and x86.
    
            [BZ #20790]
            * sunrpc/rpc_parse.c (get_prog_declaration): Increase buffer size
            to MAXLINESIZE.
            * sunrpc/bug20790.x: New file.
            * sunrpc/Makefile [$(run-built-tests) = yes] (rpcgen-tests): New
            variable.
            [$(run-built-tests) = yes] (tests-special): Add $(rpcgen-tests).
            [$(run-built-tests) = yes] ($(rpcgen-tests)): New rule.

diff --git a/sunrpc/rpc_parse.c b/sunrpc/rpc_parse.c
index 1a1df6d8c2..505a6554cf 100644
--- a/sunrpc/rpc_parse.c
+++ b/sunrpc/rpc_parse.c
@@ -521,7 +521,7 @@ static void
 get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
 {
   token tok;
-  char name[10];		/* argument name */
+  char name[MAXLINESIZE];		/* argument name */
 
   if (dkind == DEF_PROGRAM)
     {