[PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.

Adhemerval Zanella adhemerval.zanella@linaro.org
Thu Dec 3 11:37:29 GMT 2020 


On 02/12/2020 05:56, Stefan Liebler via Libc-alpha wrote:
> If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
> gcc 11 dumps this warning:
> svc_tcp.c: In function 'rendezvous_request':
> svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
>   274 |   memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
>       |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
> 
> In out-of-memory case, if one of the mallocs in makefd_xprt function
> returns NULL, a message is dumped, makefd_xprt returns NULL
> and the subsequent memcpy would copy to NULL.
> 
> Instead of a segfaulting, svctcp_rendezvous_abort is now called.

It does not do what other parts of sunrpc does in case of memory allocation
failure, it seems that usually the idea is to do some cleanup and return
FALSE (for the case if the function returns bool_t).

> 
> The same applies to svc_unix.c.
> ---
>  sunrpc/svc_tcp.c  | 5 +++++
>  sunrpc/svc_unix.c | 5 +++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
> index efbdd22548..738d47edb0 100644
> --- a/sunrpc/svc_tcp.c
> +++ b/sunrpc/svc_tcp.c
> @@ -271,6 +271,11 @@ again:
>     * make a new transporter (re-uses xprt)
>     */
>    xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
> +
> +  /* If we are out of memory, makefd_xprt has already dumped an error.  */
> +  if (xprt == NULL)
> +    svctcp_rendezvous_abort ();
> +
>    memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
>    xprt->xp_addrlen = len;
>    return FALSE;		/* there is never an rpc msg to be processed */
> diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
> index e01afeabe6..b13a4cd282 100644
> --- a/sunrpc/svc_unix.c
> +++ b/sunrpc/svc_unix.c
> @@ -270,6 +270,11 @@ again:
>    memset (&in_addr, '\0', sizeof (in_addr));
>    in_addr.sin_family = AF_UNIX;
>    xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
> +
> +  /* If we are out of memory, makefd_xprt has already dumped an error.  */
> +  if (xprt == NULL)
> +    svcunix_rendezvous_abort ();
> +
>    memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
>    xprt->xp_addrlen = len;
>    return FALSE;		/* there is never an rpc msg to be processed */
>

More information about the Libc-alpha mailing list