[2584] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-libs/301: gssrpc coredumps in recvmsg() [post-1.0]

daemon@ATHENA.MIT.EDU (tlyu@MIT.EDU)
Wed Dec 18 02:42:09 1996

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, tlyu@MIT.EDU
Date: Wed, 18 Dec 1996 02:41:52 -0500
From: tlyu@MIT.EDU
Reply-To: tlyu@MIT.EDU
To: krb5-bugs@MIT.EDU


>Number:         301
>Category:       krb5-libs
>Synopsis:       gssrpc coredumps in recvmsg()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Dec 18 02:42:01 EST 1996
>Last-Modified:
>Originator:     Tom Yu
>Organization:
mit
>Release:        post-1.0
>Environment:
	
System: SunOS tesla-coil 5.4 Generic_101945-37 sun4m sparc


>Description:
	I found this on the mainline; don't panic...
Basically the rpc unit tests fail due to a coredump deep in the rpc
library.

Core was generated by `./server -u'.
Program terminated with signal 11, Segmentation fault.

[spewage deleted]

#0  0xef5aa710 in recvmsg ()
(gdb) bt
#0  0xef5aa710 in recvmsg ()
#1  0xef791ad0 in svcudp_recv (xprt=0x220f8, msg=0xefffe980)
    at ../../../src/lib/rpc/svc_udp.c:188
#2  0xef78d688 in svc_getreqset (readfds=0xefffea28)
    at ../../../src/lib/rpc/svc.c:430
#3  0xef7906e8 in svc_run () at ../../../src/lib/rpc/svc_run.c:69
#4  0x11244 in main (argc=0, argv=0xefffebac)
    at ../../../../src/lib/rpc/unit-test/server.c:120
(gdb) up
#1  0xef791ad0 in svcudp_recv (xprt=0x220f8, msg=0xefffe980)
    at ../../../src/lib/rpc/svc_udp.c:188
188             rlen = recvmsg(xprt->xp_sock, &dummy, MSG_PEEK);
(gdb) info locals
dummy = {msg_name = 0x221", msg_namelen = 16, msg_iov = 0x0,
  msg_iovlen = 0, msg_accrights = 0x0, msg_accrightslen = 0}
su = (struct svcudp_data *) 0x22150
xdrs = (XDR *) 0x22158
rlen = 0
reply = 0x0
replylen = 0

diassembling a bit...

0xef5aa66c <recvmsg>:   save  %sp, -184, %sp
0xef5aa670 <recvmsg+4>: st  %i2, [ %fp + 0x4c ]
0xef5aa674 <recvmsg+8>: mov  0xc, %l3
0xef5aa678 <recvmsg+12>:        ld  [ %i1 + 0xc ], %o0
0xef5aa67c <recvmsg+16>:        cmp  %o0, 1
0xef5aa680 <recvmsg+20>:        ble,a   0xef5aa70c <recvmsg+160>
0xef5aa684 <recvmsg+24>:        ld  [ %i1 + 8 ], %i3
0xef5aa688 <recvmsg+28>:        clr  %i4
0xef5aa708 <recvmsg+156>:       nop
0xef5aa70c <recvmsg+160>:       ld  [ %i1 + 8 ], %l5
0xef5aa710 <recvmsg+164>:       ld  [ %i3 + 4 ], %i3
0xef5aa714 <recvmsg+168>:       ld  [ %l5 ], %l5
0xef5aa718 <recvmsg+172>:       call  0xef5bcda0 <.L670+67820>

[disclaimer... I'm not that clueful about sparc assembler...]

Here I'm assuming %i0 gets the first arg, %i1 gets the second, etc.,
thus %i1 + 0xc is &msg->msg_iovlen, and %o0 gets msg->msg_iovlen == 0.
I'm guessing that there are one or two jump slots after the ble
instruction, so that %i3 gets msg->msg_iov, which is NULL.  This makes
sense that the fault would occur on the "ld [ %i3 + 4 ], %i3".

(gdb) p $i0
$19 = 4
(gdb) p (char*)$i1
$21 = 0xefffe3f8 ""
(gdb) p $i2
$22 = 2
(gdb) p $i3
$23 = 0
(gdb) up
#1  0xef791ad0 in svcudp_recv (xprt=0x220f8, msg=0xefffe980)
    at ../../../src/lib/rpc/svc_udp.c:188
188             rlen = recvmsg(xprt->xp_sock, &dummy, MSG_PEEK);
(gdb) p &dummy
$14 = (struct msghdr *) 0xefffe3f8
(gdb) p xprt->xp_sock
$24 = 4

Anyway, it does seem to point rather strongly in favor of the
conclusion that recvmsg() doesn't check to see if msg->msg_iov is a
NULL pointer, or if msg->msg_iovlen is zero.

>How-To-Repeat:
	Try running make check in lib/rpc.
>Fix:
	* Pester Sun about recvmsg() being broken. (yeah, right)  It
is not clear that they're at fault; the manpage doesn't say what
recvmsg() does if it gets a NULL msg->msg_iovec.

	* Fix svcudp_recv() so that it actually passes an iovec.
>Audit-Trail:
>Unformatted:

home help back first fref pref prev next nref lref last post