[Bug 1205126] Re: rpcgen segfaults if argument is longer than 10 characters

David Cullen dacullen at cisco.com
Thu Jul 25 22:38:16 UTC 2013 

The following msg.x file can be used to duplicate the defect:

program PROGRAM {
        version VERSION {
                int function1(string very_long_argument_name) = 1;
                int function2(string very_long_argument_name) = 2;
                int function3(string very_long_argument_name) = 3;
        } = 1;
} = 0x20000001;

Use the following command line to trigger the defect:

rpcgen -C -M -N -l msg.x -o msg_clnt.c

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1205126

Title:
  rpcgen segfaults if argument is longer than 10 characters

Status in “eglibc” package in Ubuntu:
  New

Bug description:
  rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
  "expected type specifier" if a function argument is longer than 10
  characters.

  The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates
  a 10 character buffer on the stack and then uses unsafe functions to
  copy to it and write to it.

  The following patch fixes the problem:

  diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
  --- eglibc-2.15.old/sunrpc/rpc_parse.c  2010-08-19 16:32:31.000000000 -0400
  +++ eglibc-2.15.new/sunrpc/rpc_parse.c  2013-07-25 18:20:35.291300550 -0400
  @@ -521,7 +521,8 @@ static void
   get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
   {
     token tok;
  -  char name[10];               /* argument name */
  +  char name[64];               /* argument name */
  +  const size_t namelen = sizeof(name);

     if (dkind == DEF_PROGRAM)
       {
  @@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
     get_type (&dec->prefix, &dec->type, dkind);
     dec->rel = REL_ALIAS;
     if (peekscan (TOK_IDENT, &tok))      /* optional name of argument */
  -    strcpy (name, tok.str);
  +    {
  +      strncpy (name, tok.str, namelen);
  +      name[namelen - 1] = '\0';                /* strncpy may not null terminate string */
  +    }
     else
  -    sprintf (name, "%s%d", ARGNAME, num);      /* default name of argument */
  +    snprintf (name, namelen, "%s%d", ARGNAME, num);    /* default name of argument */

     dec->name = (char *) strdup (name);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1205126/+subscriptions

More information about the foundations-bugs mailing list