This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
Hi!
xdr_rmtcall_args first encodes arglen just to allocate space for it,
then outputs the actual arguments and once they are output, XDR_SETPOS
to the location of argument length and outputs the newly computed
arglen.
The problem is that cap->arglen is usually uninitialized value
(it makes no sense to initialize it, as xdr_rmtcall_args is
supposed to set it and on 32-bit arches doesn't rely on its
previous value).
But on 64-bit, if the unitialized cap->arglen happens to have
any of the upper 32 bits set, xdr_u_long will fail.
Fixed thusly:
2005-04-04 Jakub Jelinek <jakub@redhat.com>
* sunrpc/pmap_rmt.c (xdr_rmtcall_args): Use a dummy arglen instead
of trying to encode uninitialized arglen.
--- libc/sunrpc/pmap_rmt.c.jj 2004-10-01 12:05:01.000000000 +0200
+++ libc/sunrpc/pmap_rmt.c 2005-04-04 08:39:19.000000000 +0200
@@ -125,8 +125,9 @@ xdr_rmtcall_args (XDR *xdrs, struct rmtc
INTUSE(xdr_u_long) (xdrs, &(cap->vers)) &&
INTUSE(xdr_u_long) (xdrs, &(cap->proc)))
{
+ u_long dummy_arglen = 0;
lenposition = XDR_GETPOS (xdrs);
- if (!INTUSE(xdr_u_long) (xdrs, &(cap->arglen)))
+ if (!INTUSE(xdr_u_long) (xdrs, &dummy_arglen))
return FALSE;
argposition = XDR_GETPOS (xdrs);
if (!(*(cap->xdr_args)) (xdrs, cap->args_ptr))
Jakub
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |