Bug 1548 - glibc sunrpc svc_getreqset is broken
Summary: glibc sunrpc svc_getreqset is broken
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.3.5
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-25 21:10 UTC by Jay Lan
Modified: 2015-01-07 11:57 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jay Lan 2005-10-25 21:10:11 UTC 
We ran into problems with a RPC client. File descriptors 32-63, 96-127, 
... are not being handled properly.

The svc_run implementation is calling svc_getreqset.
This function is broken because it is using ffs() to find bits
set in the fd_set * passed to it:

  maskp = readfds->fds_bits;
  for (sock = 0; sock < setsize; sock += NFDBITS)
    for (mask = *maskp++; (bit = ffs (mask)); mask ^= (1 << (bit - 1)))
      INTUSE(svc_getreq_common) (sock + bit - 1);

ffs() requires an int argument, but in .../sys/select.h we find

typedef long int __fd_mask;

The problem was reported in 2.3.3 version, but the problem still exists 
in glibc-2.3.5-10.3.

The problem can be fixed by using ffsl() instead.


--- glibc-2.3/sunrpc/svc.c      2004-02-09 02:47:53 -08:00
+++ glibc-2.3-fix/sunrpc/svc.c  2005-10-24 16:45:50 -07:00
@@ -372,7 +372,7 @@ svc_getreqset (fd_set *readfds)
     setsize = FD_SETSIZE;
   maskp = readfds->fds_bits;
   for (sock = 0; sock < setsize; sock += NFDBITS)
-    for (mask = *maskp++; (bit = ffs (mask)); mask ^= (1 << (bit - 1)))
+    for (mask = *maskp++; (bit = ffsl (mask)); mask ^= (1L << (bit - 1)))
       INTUSE(svc_getreq_common) (sock + bit - 1);
 }
 INTDEF (svc_getreqset)
Comment 1 Sourceware Commits 2005-11-03 21:39:38 UTC 
Subject: Bug 1548

CVSROOT:	/cvs/glibc
Module name:	libc
Changes by:	roland@sources.redhat.com	2005-11-03 21:39:36

Modified files:
	sunrpc         : svc.c 

Log message:
	2005-11-03  Roland McGrath  <roland@redhat.com>
	
	[BZ #1548]
	* sunrpc/svc.c (svc_getreqset): Use ffsl instead of ffs on fd_mask.
	From Jay Lan <jlan@engr.sgi.com>.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/svc.c.diff?cvsroot=glibc&r1=1.18&r2=1.19
Comment 2 Jay Lan 2005-11-03 23:19:38 UTC 
The patch mentioned in Comment#1 is different from what i submitted. 
Without "L" in the statement below 
    ... mask ^= (1L << (bit - 1))) 
you still lose LSB 32 bits in 64 bit machines. 
 
- jay
Comment 3 Sourceware Commits 2005-11-03 23:30:50 UTC 
Subject: Bug 1548

CVSROOT:	/cvs/glibc
Module name:	libc
Changes by:	roland@sources.redhat.com	2005-11-03 23:30:45

Modified files:
	sunrpc         : svc.c 

Log message:
	2005-11-03  Roland McGrath  <roland@redhat.com>
	
	[BZ #1548]
	* sunrpc/svc.c (svc_getreqset): Use ffsl instead of ffs on fd_mask,
	make sure constant is long.
	From Jay Lan <jlan@engr.sgi.com>.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/svc.c.diff?cvsroot=glibc&r1=1.19&r2=1.20
Comment 4 Ulrich Drepper 2005-12-23 15:22:32 UTC 
Patch has been applied.