[Bug 1205126] Re: rpcgen segfaults if argument is longer than 10 characters

David Cullen dacullen at cisco.com
Mon Jul 29 15:24:05 UTC 2013 

In bug 776192 , the reporter says that the argument name must be longer
than 17 bytes. This may mean that longer or shorter argument names
trigger the defect on other systems. The example code I provided may not
be sufficient to trigger the defect on Saucy.

All that being said, I am do not understand the relevance of whether or
not this is an issue in Saucy.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1205126

Title:
  rpcgen segfaults if argument is longer than 10 characters

Status in “eglibc” package in Ubuntu:
  Triaged

Bug description:
  rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with
  "expected type specifier" if a function argument is longer than 10
  characters.

  The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates
  a 10 character buffer on the stack and then uses unsafe functions to
  copy to it and write to it.

  The following patch fixes the problem:

  diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
  --- eglibc-2.15.old/sunrpc/rpc_parse.c  2010-08-19 16:32:31.000000000 -0400
  +++ eglibc-2.15.new/sunrpc/rpc_parse.c  2013-07-25 18:20:35.291300550 -0400
  @@ -521,7 +521,8 @@ static void
   get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
   {
     token tok;
  -  char name[10];               /* argument name */
  +  char name[64];               /* argument name */
  +  const size_t namelen = sizeof(name);

     if (dkind == DEF_PROGRAM)
       {
  @@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
     get_type (&dec->prefix, &dec->type, dkind);
     dec->rel = REL_ALIAS;
     if (peekscan (TOK_IDENT, &tok))      /* optional name of argument */
  -    strcpy (name, tok.str);
  +    {
  +      strncpy (name, tok.str, namelen);
  +      name[namelen - 1] = '\0';                /* strncpy may not null terminate string */
  +    }
     else
  -    sprintf (name, "%s%d", ARGNAME, num);      /* default name of argument */
  +    snprintf (name, namelen, "%s%d", ARGNAME, num);    /* default name of argument */

     dec->name = (char *) strdup (name);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1205126/+subscriptions

More information about the foundations-bugs mailing list