| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
If clnt_dg_destroy() or clnt_vc_destroy() is awoken with other blocked
operations pending (such as clnt_*_call(), clnt_*_control(), or
clnt_*_freeres()) but no active operation currently being executed, then the
client gets destroyed. Then, as the other blocked operations get subsequently
awoken, they will try operate on an invalid client handle, potentially causing
unpredictable behavior and stack corruption.
Signed-off-by: Attila Kovacs <attipaci@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In clnt_dg.c in clnt_dg_freeres(), cu_fd_lock->active is set to TRUE, with no
corresponding clearing when the operation (*xdr_res() call) is completed. This
would leave other waiting operations blocked indefinitely, effectively
deadlocking the client. For comparison, clnt_vd_freeres() in clnt_vc.c does not
set the active state to TRUE. I believe the vc behavior is correct, while the
dg behavior is a bug.
Signed-off-by: Attila Kovacs <attipaci@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cnlt_dg_freeres() and clnt_vc_freeres(), cond_signal() is called after
unlocking the mutex (clnt_fd_lock). The manual of pthread_cond_signal()
allows that, but mentions that for consistent scheduling, cond_signal()
should be called with the waiting mutex locked.
clnt_fd_lock is locked on L171, but then not released if jumping to the
err1 label on an error (L175 and L180). This means that those errors
will deadlock all further operations that require clnt_fd_lock access.
Same in clnt_vc.c in clnt_vc_create, on lines 215, 222, and 230 respectively.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Free the cbuf after obtaining the error number.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Disallow calling auth_refresh from clnt_{dg,vc}_call if the client is
using RPCSEC_GSS. Doing so can recurse back into clnt_{dg,vc}_call,
where we'll self-deadlock waiting on the condition variable.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Fix the use of an fd_lock referenced from private client data after it
was freed.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently per-fd locks for the clients are pre-allocated up to
the soft limit of maximum allowed open file desciptors per process as
defined in __rpc_dtbsize():
if (getrlimit(RLIMIT_NOFILE, &rl) == 0) {
return (tbsize = (int)rl.rlim_cur);
}
This limit can be arbitrarily large for any given process resulting in
unreasonable memory allocation. For example, for systemd PID1 process
this limit is set to 1073741816 since version 240. systemd is an
indirect user of this library as it fetches information about users,
groups, etc...
This patch proposes a list implementation of per-fd locks based on glibc
doubly linked lists. It also includes support for a fixed array based
pre-allocation up to a compile-time defined limit of locks for
equivalence to the previous implementation.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There exits a possibility of an integer overflow in the
clnt_vc_create @ src/clnt_vc.c : 217 and
clnt_dg_create @ src/clnt_dg.c : 176.
In clnt_dg_create, the integer dtbsize is multiplied
with the size of the cond_t structure to get the total
number of bytes to be allocated.
The integer dtbsize is the value returned by a call to __rpc_dtbsize.
163: int cv_allocsz;
164: size_t fd_allocsz;
165: int dtbsize = __rpc_dtbsize();
176: cv_allocsz = dtbsize * sizeof (cond_t);
On a 32 bit version, the integer dtbsize is multiplied with the value 48.
The value returned by __rpc_dtbsize is the hard limit on the maximum
number of file descriptors which is 2^20 by default in my Ubuntu 16.04.
If this hard limit was increased to a value greater than 2^27,
this multiplication would overflow and result in a value smaller
than the expected size.
I understand that changing the hard limit on the maximum value of file
descriptors requires root privilege. But it would be reasonable
to double check this value before using it in calculations.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1600284
From: Jayakrishna Menon <jkrshnmenon@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 2936f109590e add free()s on memory that
was allocated from the stack (via alloca()).
That type memory is automatically freed so
those added free()s was causing a double frees.
It was suggested allocating memory from the
stack can be a bit troublesome. So this patch
changes the memory allocation from the stack
to the heap which also eliminates the double frees.
Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1337142
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
poll.h, signal.h, errno.h and fcntl.h are all defined in POSIX
and their location are not under sys/
This fixes various compile warning when building with musl libc like:
In file included from clnt_dg.c:40:0:
/usr/include/sys/poll.h:1:2: warning: #warning redirecting
incorrect #include <sys/poll.h> to <poll.h> [-Wcpp]
In file included from clnt_generic.c:32:0:
/usr/include/sys/fcntl.h:1:2: warning: #warning redirecting
incorrect #include <sys/fcntl.h> to <fcntl.h> [-Wcpp]
In file included from auth_time.c:34:0:
/usr/include/sys/signal.h:1:2: warning: #warning redirecting
incorrect #include <sys/signal.h> to <signal.h> [-Wcpp]
In file included from auth_time.c:35:0:
/usr/include/sys/errno.h:1:2: warning: #warning redirecting
incorrect #include <sys/errno.h> to <errno.h> [-Wcpp]
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
clnt_dg.c:312:12: warning: variable 'inlen' set but not used
[-Wunused-but-set-variable]
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Client code lacks support for authenticator wrapping/unwrapping, which
is particularly useful when using GSS.
Verified for both tcp & udp using a trivial RPC client against a MIT
Krb5 server.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
as well as some other warnings.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
After an RPC over datagram call times out, clnt_dg_call() goes into a
loop, spamming the server with endless retransmits. Since signals
are masked, a ^C doesn't break the loop -- the process must be KILLed.
Add missing logic to exit appropriately after the call's total time
has expired.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
permission of Sun Microsystems
Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
released during an error path in clnt_dg_call.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
- Fixed some of warnings in: src/auth_time.c, src/clnt_dg.c and
src/clnt_raw.c
- Added some #ifdef NOTUSED around some code in src/rpbc_clnt.c
that was not being used...
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
application will see errors instead of timing out
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|