[Bug 1205126] Re: rpcgen segfaults if argument is longer than 10 characters

David Cullen dacullen at cisco.com
Mon Jul 29 11:50:18 UTC 2013 

This is probably related to
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/776192.

The code that causes the defect has been in rpc_parse.c since at least
2.11 of vanilla eglibc.

However, on Precise, the code is compiled with stack protection
disabled.

Maybe eglibc is build for saucy with stack protection enabled. You may
want to look at the output on Saucy to see if the argument is silently
truncated.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1205126

Title:
  rpcgen segfaults if argument is longer than 10 characters

Status in “eglibc” package in Ubuntu:
  Triaged

Bug description:
  rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
  "expected type specifier" if a function argument is longer than 10
  characters.

  The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates
  a 10 character buffer on the stack and then uses unsafe functions to
  copy to it and write to it.

  The following patch fixes the problem:

  diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
  --- eglibc-2.15.old/sunrpc/rpc_parse.c  2010-08-19 16:32:31.000000000 -0400
  +++ eglibc-2.15.new/sunrpc/rpc_parse.c  2013-07-25 18:20:35.291300550 -0400
  @@ -521,7 +521,8 @@ static void
   get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
   {
     token tok;
  -  char name[10];               /* argument name */
  +  char name[64];               /* argument name */
  +  const size_t namelen = sizeof(name);

     if (dkind == DEF_PROGRAM)
       {
  @@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
     get_type (&dec->prefix, &dec->type, dkind);
     dec->rel = REL_ALIAS;
     if (peekscan (TOK_IDENT, &tok))      /* optional name of argument */
  -    strcpy (name, tok.str);
  +    {
  +      strncpy (name, tok.str, namelen);
  +      name[namelen - 1] = '\0';                /* strncpy may not null terminate string */
  +    }
     else
  -    sprintf (name, "%s%d", ARGNAME, num);      /* default name of argument */
  +    snprintf (name, namelen, "%s%d", ARGNAME, num);    /* default name of argument */

     dec->name = (char *) strdup (name);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1205126/+subscriptions

More information about the foundations-bugs mailing list