43 lines
1.8 KiB
Diff
43 lines
1.8 KiB
Diff
commit ed6b0fe710b631b99ed9fc28cefedfe69a16dc55
|
||
Author: Brad Hubbard <bhubbard@redhat.com>
|
||
Date: Wed Mar 18 14:51:26 2015 +0530
|
||
|
||
Use calloc to allocate xports (BZ #17542)
|
||
|
||
If xports is NULL in xprt_register we malloc it but if sock >
|
||
_rpc_dtablesize() that memory does not get initialised and may in theory
|
||
contain any value. Later we make a conditional jump in svc_getreq_common
|
||
based on the uninitialised memory and this caused a general protection
|
||
fault in rpc.statd on an older version of glibc but this code has not
|
||
changed since that version.
|
||
|
||
Following is the valgrind warning.
|
||
|
||
==26802== Conditional jump or move depends on uninitialised value(s)
|
||
==26802== at 0x5343A25: svc_getreq_common (in /lib64/libc-2.5.so)
|
||
==26802== by 0x534357B: svc_getreqset (in /lib64/libc-2.5.so)
|
||
==26802== by 0x10DE1F: ??? (in /sbin/rpc.statd)
|
||
==26802== by 0x10D0EF: main (in /sbin/rpc.statd)
|
||
==26802== Uninitialised value was created by a heap allocation
|
||
==26802== at 0x4C2210C: malloc (vg_replace_malloc.c:195)
|
||
==26802== by 0x53438BE: xprt_register (in /lib64/libc-2.5.so)
|
||
==26802== by 0x53450DF: svcudp_bufcreate (in /lib64/libc-2.5.so)
|
||
==26802== by 0x10FE32: ??? (in /sbin/rpc.statd)
|
||
==26802== by 0x10D13E: main (in /sbin/rpc.statd)
|
||
|
||
diff --git glibc-2.17-c758a686/sunrpc/svc.c glibc-2.17-c758a686/sunrpc/svc.c
|
||
index 8c4e8a5..c6ccf10 100644
|
||
--- glibc-2.17-c758a686/sunrpc/svc.c
|
||
+++ glibc-2.17-c758a686/sunrpc/svc.c
|
||
@@ -97,8 +97,8 @@ xprt_register (SVCXPRT *xprt)
|
||
|
||
if (xports == NULL)
|
||
{
|
||
- xports = (SVCXPRT **) malloc (_rpc_dtablesize () * sizeof (SVCXPRT *));
|
||
- if (xports == NULL) /* Don´t add handle */
|
||
+ xports = (SVCXPRT **) calloc (_rpc_dtablesize (), sizeof (SVCXPRT *));
|
||
+ if (xports == NULL) /* Don't add handle */
|
||
return;
|
||
}
|
||
|