Bug 154505 - [libc] [patch]Buffer underflow in RPC library for non-blocking TCP sockets
Summary: [libc] [patch]Buffer underflow in RPC library for non-blocking TCP sockets
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.2-PRERELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: Rick Macklem
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-04 10:10 UTC by Andrey Simonenko
Modified: 2011-10-20 23:41 UTC (History)
0 users

See Also:


Attachments
file.diff (460 bytes, patch)
2011-02-04 10:10 UTC, Andrey Simonenko
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Simonenko 2011-02-04 10:10:09 UTC
The libc/rpc/svc_vc.c:write_vc() function calls _write() and sends data
to opened TCP connection.  For non-blocking socket it has something like
timeout in 2 seconds (actually write_vc() can spend more real time for
sending for non-blocking socket).  The i variable is used for offset in
a buffer and as a counter at the same time.  When _write() fails this
variable got the -1 value and this value as added to the buffer address
and to the counter (the buffer address is decreased and the counter value
actually is increased).  So we get buffer underflow.

As a result write_vc() can send data that does not belong to data that
were expected to be sent, so this is a security mistake for any program
that use RPC with a non-blocking TCP socket.

Fix: This this the update (this is the minimal version, without optimization):
How-To-Repeat: 
Run any RPC program that transfers big data over non-blocking TCP socket.
A client will receive truncated data or garbage data, or data that should
not be sent to a client (everything depends on how memory blocks were
allocated in a server).
Comment 1 Rick Macklem freebsd_committer freebsd_triage 2011-04-11 21:15:10 UTC
State Changed
From-To: open->patched



The patch has been applied to head and will be MFC'd in 2 weeks.
Comment 2 Remko Lodder freebsd_committer freebsd_triage 2011-10-12 15:44:42 UTC
Responsible Changed
From-To: freebsd-bugs->rmacklem

Reassign to last person to poke at this :-)
Comment 3 Rick Macklem freebsd_committer freebsd_triage 2011-10-20 23:40:45 UTC
State Changed
From-To: patched->closed


The patch that fixed this (r220519) has now been MFC'd.