The libc/rpc/svc_vc.c:write_vc() function calls _write() and sends data to opened TCP connection. For non-blocking socket it has something like timeout in 2 seconds (actually write_vc() can spend more real time for sending for non-blocking socket). The i variable is used for offset in a buffer and as a counter at the same time. When _write() fails this variable got the -1 value and this value as added to the buffer address and to the counter (the buffer address is decreased and the counter value actually is increased). So we get buffer underflow. As a result write_vc() can send data that does not belong to data that were expected to be sent, so this is a security mistake for any program that use RPC with a non-blocking TCP socket. Fix: This this the update (this is the minimal version, without optimization): How-To-Repeat: Run any RPC program that transfers big data over non-blocking TCP socket. A client will receive truncated data or garbage data, or data that should not be sent to a client (everything depends on how memory blocks were allocated in a server).
State Changed From-To: open->patched The patch has been applied to head and will be MFC'd in 2 weeks.
Responsible Changed From-To: freebsd-bugs->rmacklem Reassign to last person to poke at this :-)
State Changed From-To: patched->closed The patch that fixed this (r220519) has now been MFC'd.