[Bug 1205126] [NEW] rpcgen segfaults if argument is longer than 10 characters
David Cullen
dacullen at cisco.com
Thu Jul 25 22:31:42 UTC 2013
Public bug reported:
rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
"expected type specifier" if a function argument is longer than 10
characters.
The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates a
10 character buffer on the stack and then uses unsafe functions to copy
to it and write to it.
The following patch fixes the problem:
diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
--- eglibc-2.15.old/sunrpc/rpc_parse.c 2010-08-19 16:32:31.000000000 -0400
+++ eglibc-2.15.new/sunrpc/rpc_parse.c 2013-07-25 18:20:35.291300550 -0400
@@ -521,7 +521,8 @@ static void
get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
{
token tok;
- char name[10]; /* argument name */
+ char name[64]; /* argument name */
+ const size_t namelen = sizeof(name);
if (dkind == DEF_PROGRAM)
{
@@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
get_type (&dec->prefix, &dec->type, dkind);
dec->rel = REL_ALIAS;
if (peekscan (TOK_IDENT, &tok)) /* optional name of argument */
- strcpy (name, tok.str);
+ {
+ strncpy (name, tok.str, namelen);
+ name[namelen - 1] = '\0'; /* strncpy may not null terminate string */
+ }
else
- sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
+ snprintf (name, namelen, "%s%d", ARGNAME, num); /* default name of argument */
dec->name = (char *) strdup (name);
** Affects: eglibc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1205126
Title:
rpcgen segfaults if argument is longer than 10 characters
Status in “eglibc” package in Ubuntu:
New
Bug description:
rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
"expected type specifier" if a function argument is longer than 10
characters.
The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates
a 10 character buffer on the stack and then uses unsafe functions to
copy to it and write to it.
The following patch fixes the problem:
diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
--- eglibc-2.15.old/sunrpc/rpc_parse.c 2010-08-19 16:32:31.000000000 -0400
+++ eglibc-2.15.new/sunrpc/rpc_parse.c 2013-07-25 18:20:35.291300550 -0400
@@ -521,7 +521,8 @@ static void
get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
{
token tok;
- char name[10]; /* argument name */
+ char name[64]; /* argument name */
+ const size_t namelen = sizeof(name);
if (dkind == DEF_PROGRAM)
{
@@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
get_type (&dec->prefix, &dec->type, dkind);
dec->rel = REL_ALIAS;
if (peekscan (TOK_IDENT, &tok)) /* optional name of argument */
- strcpy (name, tok.str);
+ {
+ strncpy (name, tok.str, namelen);
+ name[namelen - 1] = '\0'; /* strncpy may not null terminate string */
+ }
else
- sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
+ snprintf (name, namelen, "%s%d", ARGNAME, num); /* default name of argument */
dec->name = (char *) strdup (name);
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1205126/+subscriptions
More information about the foundations-bugs
mailing list