Bug 172576 - [librpc] librpc segfaults when out of memory
Summary: [librpc] librpc segfaults when out of memory
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-10 23:58 UTC by Ritesh Shah
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ritesh Shah 2012-10-10 23:58:22 UTC 
xdrrec_create() routine in lib/libc/xdr/xdr_rec.c returns a void. Under low memory condition this routine can bail out early and leave part of the XDR structrure uninitialized. 

The callers : 

clnt_vc_create() in lib/libc/rpc/clnt_vc.c & 
makefd_xprt() in lib/libc/rpc/svc_vc.c

do not check whether failed or not. 

This can lead to segfault when uninitialized pointers are accessed.

This bug exists in FreeBSD 9 as well.

192	        rstrm->in_base = mem_alloc(recvsize);
193	        if (rstrm->in_base == NULL) {
194	                warnx("xdrrec_create: out of memory");
195	                mem_free(rstrm->out_base, sendsize);
196	                mem_free(rstrm, sizeof(RECSTREAM));
197	                return;
198	        }
199	        /*
200	         * now the rest ...
201	         */
202	        xdrs->x_ops = &xdrrec_ops;
203	        xdrs->x_private = rstrm;
204	        rstrm->tcp_handle = tcp_handle;

Fix: 

It has been reported against netbsd as well.

http://mail-index.netbsd.org/netbsd-bugs/2012/08/06/msg029375.html

I can provide a patch if there is an agreement on how it should be fixed.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:27 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped