rpcgen segfaults if argument is longer than 10 characters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eglibc (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with "expected type specifier" if a function argument is longer than 10 characters.
The function get_prog_
The following patch fixes the problem:
diff -uprN eglibc-
--- eglibc-
+++ eglibc-
@@ -521,7 +521,8 @@ static void
get_prog_
{
token tok;
- char name[10]; /* argument name */
+ char name[64]; /* argument name */
+ const size_t namelen = sizeof(name);
if (dkind == DEF_PROGRAM)
{
@@ -538,9 +539,12 @@ get_prog_
get_type (&dec->prefix, &dec->type, dkind);
dec->rel = REL_ALIAS;
if (peekscan (TOK_IDENT, &tok)) /* optional name of argument */
- strcpy (name, tok.str);
+ {
+ strncpy (name, tok.str, namelen);
+ name[namelen - 1] = '\0'; /* strncpy may not null terminate string */
+ }
else
- sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
+ snprintf (name, namelen, "%s%d", ARGNAME, num); /* default name of argument */
dec->name = (char *) strdup (name);
The following msg.x file can be used to duplicate the defect:
program PROGRAM { argument_ name) = 1; argument_ name) = 2; argument_ name) = 3;
version VERSION {
int function1(string very_long_
int function2(string very_long_
int function3(string very_long_
} = 1;
} = 0x20000001;
Use the following command line to trigger the defect:
rpcgen -C -M -N -l msg.x -o msg_clnt.c