From 1bdee1756e70ec2611e568776dd93c70f5e6feef Mon Sep 17 00:00:00 2001 From: Raghavendra G Date: Mon, 6 Sep 2010 05:44:14 +0000 Subject: rpc-clnt: fix memory corruption happening while encoding auth data. - buffer containing authdata pointed by rpc-request was allocated on stack of procedure rpc_clnt_fill_request, but was being used as source for xdr-encoding in rpc_clnt_record_build_record. Hence by the time auth-data is being copied during encoding of request, it might've been freed and hence contain garbage. Signed-off-by: Raghavendra G Signed-off-by: Vijay Bellur BUG: 875 (Implement a new protocol to provide proper backward/forward compatibility) URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=875 --- rpc/rpc-lib/src/rpc-clnt.c | 22 +++++++++++----------- rpc/rpc-lib/src/rpc-clnt.h | 1 + 2 files changed, 12 insertions(+), 11 deletions(-) (limited to 'rpc/rpc-lib') diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c index 8d923ed5f..52316a03a 100644 --- a/rpc/rpc-lib/src/rpc-clnt.c +++ b/rpc/rpc-lib/src/rpc-clnt.c @@ -1034,10 +1034,9 @@ ret: int rpc_clnt_fill_request (int prognum, int progver, int procnum, int payload, uint64_t xid, struct auth_glusterfs_parms *au, - struct rpc_msg *request) + struct rpc_msg *request, char *auth_data) { int ret = -1; - char dest[1024] = {0,}; if (!request) { goto out; @@ -1056,14 +1055,14 @@ rpc_clnt_fill_request (int prognum, int progver, int procnum, int payload, /* TODO: Using AUTH_GLUSTERFS for time-being. Make it modular in * future so it is easy to plug-in new authentication schemes. */ - ret = xdr_serialize_glusterfs_auth (dest, au); + ret = xdr_serialize_glusterfs_auth (auth_data, au); if (ret == -1) { gf_log ("rpc-clnt", GF_LOG_DEBUG, "cannot encode credentials"); goto out; } request->rm_call.cb_cred.oa_flavor = AUTH_GLUSTERFS; - request->rm_call.cb_cred.oa_base = dest; + request->rm_call.cb_cred.oa_base = auth_data; request->rm_call.cb_cred.oa_length = ret; request->rm_call.cb_verf.oa_flavor = AUTH_NONE; @@ -1116,12 +1115,13 @@ rpc_clnt_record_build_record (struct rpc_clnt *clnt, int prognum, int progver, int procnum, size_t payload, uint64_t xid, struct auth_glusterfs_parms *au, struct iovec *recbuf) { - struct rpc_msg request = {0, }; - struct iobuf *request_iob = NULL; - char *record = NULL; - struct iovec recordhdr = {0, }; - size_t pagesize = 0; - int ret = -1; + struct rpc_msg request = {0, }; + struct iobuf *request_iob = NULL; + char *record = NULL; + struct iovec recordhdr = {0, }; + size_t pagesize = 0; + int ret = -1; + char auth_data[RPC_CLNT_MAX_AUTH_BYTES] = {0, }; if ((!clnt) || (!recbuf) || (!au)) { goto out; @@ -1142,7 +1142,7 @@ rpc_clnt_record_build_record (struct rpc_clnt *clnt, int prognum, int progver, /* Fill the rpc structure and XDR it into the buffer got above. */ ret = rpc_clnt_fill_request (prognum, progver, procnum, payload, xid, - au, &request); + au, &request, auth_data); if (ret == -1) { gf_log ("rpc-clnt", GF_LOG_DEBUG, "cannot build a rpc-request " "xid (%"PRIu64")", xid); diff --git a/rpc/rpc-lib/src/rpc-clnt.h b/rpc/rpc-lib/src/rpc-clnt.h index a0251c7c5..ab95608ad 100644 --- a/rpc/rpc-lib/src/rpc-clnt.h +++ b/rpc/rpc-lib/src/rpc-clnt.h @@ -32,6 +32,7 @@ typedef enum { } rpc_clnt_event_t; #define AUTH_GLUSTERFS 5 +#define RPC_CLNT_MAX_AUTH_BYTES 1024 struct xptr_clnt; struct rpc_req; -- cgit