[Bug nis/3559] New: unchecked malloc in glibc/sunrpc/svc_run.c

[Bug nis/3559] New: unchecked malloc in glibc/sunrpc/svc_run.c

[csnook at redhat dot com]

malloc result in glibc/sunrpc/svc_run.c is used without being checked:

62      my_pollfd = malloc (sizeof (struct pollfd) * svc_max_pollfd);
63      for (i = 0; i < svc_max_pollfd; ++i)
64	{
65	  my_pollfd[i].fd = svc_pollfd[i].fd;

This was discovered by code inspection while troubleshooting ypbind, and is
unchanged in CVS.

-- 
           Summary: unchecked malloc in glibc/sunrpc/svc_run.c
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nis
        AssignedTo: kukuk at suse dot de
        ReportedBy: csnook at redhat dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[csnook at redhat dot com]

------- Additional Comments From csnook at redhat dot com  2006-11-22 05:24 -------
Created an attachment (id=1434)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1434&action=view)
patch to report error and return if malloc fails

patch to report error and return if malloc fails

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[jakub at redhat dot com]

------- Additional Comments From jakub at redhat dot com  2006-11-22 07:51 -------
If we touch this file, there are further things we should look at:
1) svc_exit's comment says it should be usable in signal handler, but calling
   free isn't possible in signal handlers, perhaps just clearing svc_maxpoll_fd
   and freeing in svc_run instead
2) doing a malloc/free pair in every single svc_run loop iteration sounds
   overkill to me, it should be enough if it reallocates the memory if
   svc_maxpoll_fd changes since last invocation

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[csnook at redhat dot com]

------- Additional Comments From csnook at redhat dot com  2006-11-22 08:13 -------
For that matter, using svc_max_pollfd as a sentinel like this is racy, and
should be replaced with a real sentinel whose value isn't used within the loop
it also controls.

Perhaps a better question would be whether anything actually calls svc_exit at
all.  It's not called anywhere in ypbind-mt, but I suppose other RPC services
might use it.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2006-11-27 23:02 -------
I've applied the patch to handle malloc errors.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2007-01-12 16:59 -------
Subject: Bug 3559

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_5-branch
Changes by:	jakub@sourceware.org	2007-01-12 16:59:03

Modified files:
	.              : ChangeLog 
	sunrpc         : svc_run.c 

Log message:
	[BZ #3559]
	* sunrpc/svc_run.c (svc_run): Fail instead of segfaulting if
	malloc crashed.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10362.2.14&r2=1.10362.2.15
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sunrpc/svc_run.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10&r2=1.10.8.1



-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nis/3559] unchecked malloc in glibc/sunrpc/svc_run.c

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2007-02-17 09:10 -------
I'm closing this.  The code is broken by design, there is not much we can do
except fixing critical problems.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=3559

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.