Bug 26806

Summary: rpcbind can dump core under certain circumstances
Product: Base System Reporter: ak03 <ak03>
Component: binAssignee: iedowse
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description ak03 2001-04-23 23:30:01 UTC 
	rpcbind occasionally dump core on my -CURRENT box. After I was unable
	to get the meaningful core dump, it turns out that the program
	is crashing due to the unitialized parameter in addrmerge 
	procedure in rpcbind/util.c

	It looks like addrmerge tries to locate the network device most
	suitable for sending request reply to the client and then converts
	the unterface network address into a string. When the client
	address is on the local subnet, everything is OK and one of
	the branches of the switch statement on util.c:111 will execute
 	and initialize tbuf structure with proper values. If client is
	not on the local address, procedure tries to select "best"
	interface to handle the requiest but does NOT initialize
	tbuf structure and passes random garbage to the taddr2uaddr later
	when it reaches found: label.
	taddr2uaddr crashes with sig 11 in inet_ntop shortly after that.

Fix: Attached patch delays initialization of the tbuf structure
	until right before taddr2uaddr is called. rpcbind did not crash
	for a three days already while before it was reliably dumping 
	core no later than 30 min after system reboot.
How-To-Repeat: 	Not sure. Simply run -CURRENT box in a large network with
	multiple subnets?
Comment 1 iedowse freebsd_committer freebsd_triage 2001-04-24 01:01:45 UTC 
Responsible Changed
From-To: freebsd-bugs->iedowse

I'll deal with this. Thanks for the patch and the analysis!
Comment 2 iedowse freebsd_committer freebsd_triage 2001-04-26 18:26:45 UTC 
State Changed
From-To: open->feedback


I've committed a bugfix from NetBSD which should address this issue. I 
think your patch may have been more complete, but I'd like to keep the 
code as close as possible to NetBSD's for now. Could you verify that 
revision 1.2 of util.c fixes the problem you were seeing? Thanks.
Comment 3 iedowse freebsd_committer freebsd_triage 2001-05-10 17:49:02 UTC 
State Changed
From-To: feedback->closed


Submitter has confirmed that util.c r1.2 resolved this issue.