[Bug 1205126] Re: rpcgen segfaults if argument is longer than 10 characters
David Cullen
dacullen at cisco.com
Thu Jul 25 22:38:16 UTC 2013
The following msg.x file can be used to duplicate the defect:
program PROGRAM {
version VERSION {
int function1(string very_long_argument_name) = 1;
int function2(string very_long_argument_name) = 2;
int function3(string very_long_argument_name) = 3;
} = 1;
} = 0x20000001;
Use the following command line to trigger the defect:
rpcgen -C -M -N -l msg.x -o msg_clnt.c
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1205126
Title:
rpcgen segfaults if argument is longer than 10 characters
Status in “eglibc” package in Ubuntu:
New
Bug description:
rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
"expected type specifier" if a function argument is longer than 10
characters.
The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates
a 10 character buffer on the stack and then uses unsafe functions to
copy to it and write to it.
The following patch fixes the problem:
diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
--- eglibc-2.15.old/sunrpc/rpc_parse.c 2010-08-19 16:32:31.000000000 -0400
+++ eglibc-2.15.new/sunrpc/rpc_parse.c 2013-07-25 18:20:35.291300550 -0400
@@ -521,7 +521,8 @@ static void
get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
{
token tok;
- char name[10]; /* argument name */
+ char name[64]; /* argument name */
+ const size_t namelen = sizeof(name);
if (dkind == DEF_PROGRAM)
{
@@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
get_type (&dec->prefix, &dec->type, dkind);
dec->rel = REL_ALIAS;
if (peekscan (TOK_IDENT, &tok)) /* optional name of argument */
- strcpy (name, tok.str);
+ {
+ strncpy (name, tok.str, namelen);
+ name[namelen - 1] = '\0'; /* strncpy may not null terminate string */
+ }
else
- sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
+ snprintf (name, namelen, "%s%d", ARGNAME, num); /* default name of argument */
dec->name = (char *) strdup (name);
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1205126/+subscriptions
More information about the foundations-bugs
mailing list