From patchwork Wed Dec 2 08:56:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Liebler X-Patchwork-Id: 41252 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D1CB63959E5F; Wed, 2 Dec 2020 08:56:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D1CB63959E5F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1606899387; bh=7b6Svh5KpTgsNePm4v0W5Ei21cu3BUgVwOkstHFpRdU=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=WS0n4a9Ak4Mky0wDDgiCOL9AX6Noc8XDBndfIt5bNKYNEVAg1SI3RRh6kiVn67Qwm JujcK+WhaWDFFftEpOr6P38MNoE5uw8qOBFrrxvnCiFEiMhLDP0FvrncKIJTDH3dgw p2AGoySL7eoRceJ6vpdpReMACgBr79PeBvjb0SvU= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by sourceware.org (Postfix) with ESMTPS id 0D8CB3846411 for ; Wed, 2 Dec 2020 08:56:26 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0D8CB3846411 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0B28kRbS186008 for ; Wed, 2 Dec 2020 03:56:25 -0500 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 355d9e4hbw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 02 Dec 2020 03:56:22 -0500 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0B28q7I6024997 for ; Wed, 2 Dec 2020 08:56:21 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma06ams.nl.ibm.com with ESMTP id 354fpdasqr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 02 Dec 2020 08:56:21 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0B28uH997012980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 Dec 2020 08:56:17 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C9149AE045; Wed, 2 Dec 2020 08:56:17 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A94A6AE04D; Wed, 2 Dec 2020 08:56:17 +0000 (GMT) Received: from t35lp56.lnxne.boe (unknown [9.152.108.100]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 2 Dec 2020 08:56:17 +0000 (GMT) To: libc-alpha@sourceware.org Subject: [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request. Date: Wed, 2 Dec 2020 09:56:06 +0100 Message-Id: <20201202085606.338429-1-stli@linux.ibm.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-02_01:2020-11-30, 2020-12-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 phishscore=0 mlxlogscore=313 clxscore=1015 mlxscore=0 malwarescore=0 spamscore=0 bulkscore=0 adultscore=0 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012020044 X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Stefan Liebler via Libc-alpha From: Stefan Liebler Reply-To: Stefan Liebler Cc: Stefan Liebler Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32), gcc 11 dumps this warning: svc_tcp.c: In function 'rendezvous_request': svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds] 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors In out-of-memory case, if one of the mallocs in makefd_xprt function returns NULL, a message is dumped, makefd_xprt returns NULL and the subsequent memcpy would copy to NULL. Instead of a segfaulting, svctcp_rendezvous_abort is now called. The same applies to svc_unix.c. --- sunrpc/svc_tcp.c | 5 +++++ sunrpc/svc_unix.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c index efbdd22548..738d47edb0 100644 --- a/sunrpc/svc_tcp.c +++ b/sunrpc/svc_tcp.c @@ -271,6 +271,11 @@ again: * make a new transporter (re-uses xprt) */ xprt = makefd_xprt (sock, r->sendsize, r->recvsize); + + /* If we are out of memory, makefd_xprt has already dumped an error. */ + if (xprt == NULL) + svctcp_rendezvous_abort (); + memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); xprt->xp_addrlen = len; return FALSE; /* there is never an rpc msg to be processed */ diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index e01afeabe6..b13a4cd282 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -270,6 +270,11 @@ again: memset (&in_addr, '\0', sizeof (in_addr)); in_addr.sin_family = AF_UNIX; xprt = makefd_xprt (sock, r->sendsize, r->recvsize); + + /* If we are out of memory, makefd_xprt has already dumped an error. */ + if (xprt == NULL) + svcunix_rendezvous_abort (); + memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr)); xprt->xp_addrlen = len; return FALSE; /* there is never an rpc msg to be processed */