Author: brooks Date: Mon May 15 23:13:49 2017 New Revision: 318327 URL: https://svnweb.freebsd.org/changeset/base/318327
Log: MFC r317660, r317710 r317660: Support clnt_raw's use of FD_SETSIZE as a fake file descriptor. Accomplish this by allocating space for it in __svc_xports and allowing it to be registered. The failure to allocate space was causing an out-of-bounds read in svc_getreq_common(). The failure to register caused PR 211804. The bug was found with CHERI bounds checking. PR: 211804 Obtained from: CheriBSD Sponsored by: DARPA, AFRL Reviewed by: ngie Differential Revision: https://reviews.freebsd.org/D10528 r317710: Remove expected failure now that it was fixed in r317660. PR: 211804 Reviewed by: ngie Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D10576 Modified: stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c stable/10/lib/libc/rpc/svc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c ============================================================================== --- stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c Mon May 15 23:12:04 2017 (r318326) +++ stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c Mon May 15 23:13:49 2017 (r318327) @@ -335,9 +335,6 @@ ATF_TC_BODY(raw, tc) #ifdef __FreeBSD_bug_216954__ atf_tc_expect_signal(SIGSEGV, "fails with SIGSEGV only on ^/stable/10 -- bug # 216954"); -#else - atf_tc_expect_fail("fails with: clnt_call: " - "RPC: Can't decode result -- PR # 211804"); #endif #endif rawtest(NULL); Modified: stable/10/lib/libc/rpc/svc.c ============================================================================== --- stable/10/lib/libc/rpc/svc.c Mon May 15 23:12:04 2017 (r318326) +++ stable/10/lib/libc/rpc/svc.c Mon May 15 23:13:49 2017 (r318327) @@ -108,18 +108,19 @@ xprt_register(SVCXPRT *xprt) rwlock_wrlock(&svc_fd_lock); if (__svc_xports == NULL) { __svc_xports = (SVCXPRT **) - mem_alloc(FD_SETSIZE * sizeof(SVCXPRT *)); + mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *)); if (__svc_xports == NULL) { rwlock_unlock(&svc_fd_lock); return; } - memset(__svc_xports, '\0', FD_SETSIZE * sizeof(SVCXPRT *)); + memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *)); } if (sock < FD_SETSIZE) { __svc_xports[sock] = xprt; FD_SET(sock, &svc_fdset); svc_maxfd = max(svc_maxfd, sock); - } + } else if (sock == FD_SETSIZE) + __svc_xports[sock] = xprt; rwlock_unlock(&svc_fd_lock); } @@ -157,7 +158,8 @@ __xprt_do_unregister(SVCXPRT *xprt, bool if (__svc_xports[svc_maxfd]) break; } - } + } else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt)) + __svc_xports[sock] = NULL; if (dolock) rwlock_unlock(&svc_fd_lock); } _______________________________________________ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
