[PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
Stefan Liebler
stli@linux.ibm.com
Wed Dec 2 08:56:06 GMT 2020
If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
gcc 11 dumps this warning:
svc_tcp.c: In function 'rendezvous_request':
svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
In out-of-memory case, if one of the mallocs in makefd_xprt function
returns NULL, a message is dumped, makefd_xprt returns NULL
and the subsequent memcpy would copy to NULL.
Instead of a segfaulting, svctcp_rendezvous_abort is now called.
The same applies to svc_unix.c.
---
sunrpc/svc_tcp.c | 5 +++++
sunrpc/svc_unix.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
index efbdd22548..738d47edb0 100644
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -271,6 +271,11 @@ again:
* make a new transporter (re-uses xprt)
*/
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
+
+ /* If we are out of memory, makefd_xprt has already dumped an error. */
+ if (xprt == NULL)
+ svctcp_rendezvous_abort ();
+
memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
index e01afeabe6..b13a4cd282 100644
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -270,6 +270,11 @@ again:
memset (&in_addr, '\0', sizeof (in_addr));
in_addr.sin_family = AF_UNIX;
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
+
+ /* If we are out of memory, makefd_xprt has already dumped an error. */
+ if (xprt == NULL)
+ svcunix_rendezvous_abort ();
+
memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
--
2.23.0
More information about the Libc-alpha
mailing list