Ubuntu
eglibc package

rpcgen segfaults if argument is longer than 10 characters

Bug #1205126 reported by David Cullen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

rpcgen (Ubuntu EGLIBC 2.15-0ubuntu10.4) 2.15 segfaults or fails with "expected type specifier" if a function argument is longer than 10 characters.

The function get_prog_declaration in libc/sunrpc/rpc_parse.c allocates a 10 character buffer on the stack and then uses unsafe functions to copy to it and write to it.

The following patch fixes the problem:

diff -uprN eglibc-2.15.old/sunrpc/rpc_parse.c eglibc-2.15.new/sunrpc/rpc_parse.c
--- eglibc-2.15.old/sunrpc/rpc_parse.c 2010-08-19 16:32:31.000000000 -0400
+++ eglibc-2.15.new/sunrpc/rpc_parse.c 2013-07-25 18:20:35.291300550 -0400
@@ -521,7 +521,8 @@ static void
 get_prog_declaration (declaration * dec, defkind dkind, int num /* arg number */ )
 {
   token tok;
- char name[10]; /* argument name */
+ char name[64]; /* argument name */
+ const size_t namelen = sizeof(name);

   if (dkind == DEF_PROGRAM)
     {
@@ -538,9 +539,12 @@ get_prog_declaration (declaration * dec,
   get_type (&dec->prefix, &dec->type, dkind);
   dec->rel = REL_ALIAS;
   if (peekscan (TOK_IDENT, &tok)) /* optional name of argument */
- strcpy (name, tok.str);
+ {
+ strncpy (name, tok.str, namelen);
+ name[namelen - 1] = '\0'; /* strncpy may not null terminate string */
+ }
   else
- sprintf (name, "%s%d", ARGNAME, num); /* default name of argument */
+ snprintf (name, namelen, "%s%d", ARGNAME, num); /* default name of argument */

   dec->name = (char *) strdup (name);

Revision history for this message
David Cullen (dacullen) wrote :

The following msg.x file can be used to duplicate the defect:

program PROGRAM {
        version VERSION {
                int function1(string very_long_argument_name) = 1;
                int function2(string very_long_argument_name) = 2;
                int function3(string very_long_argument_name) = 3;
        } = 1;
} = 0x20000001;

Use the following command line to trigger the defect:

rpcgen -C -M -N -l msg.x -o msg_clnt.c

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

I can repeat this on Precise, but not saucy - not sure which ones in between.
Triaged: Got a fix.

(Is this the same as bug 776192 ? )

Changed in eglibc (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
David Cullen (dacullen) wrote :

This is probably related to https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/776192.

The code that causes the defect has been in rpc_parse.c since at least 2.11 of vanilla eglibc.

However, on Precise, the code is compiled with stack protection disabled.

Maybe eglibc is build for saucy with stack protection enabled. You may want to look at the output on Saucy to see if the argument is silently truncated.

Revision history for this message
David Cullen (dacullen) wrote :

In bug 776192 , the reporter says that the argument name must be longer than 17 bytes. This may mean that longer or shorter argument names trigger the defect on other systems. The example code I provided may not be sufficient to trigger the defect on Saucy.

All that being said, I am do not understand the relevance of whether or not this is an issue in Saucy.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.