diff options
| author | Raghavendra G <raghavendra@gluster.com> | 2010-09-06 05:44:14 +0000 |
|---|---|---|
| committer | Vijay Bellur <vijay@dev.gluster.com> | 2010-09-06 09:37:31 -0700 |
| commit | 1bdee1756e70ec2611e568776dd93c70f5e6feef (patch) | |
| tree | 74802ecef1cd5a083e1778f73a922c78d80e851a /rpc | |
| parent | d48378e4971b6b75f328923054959f6dc4dd89f6 (diff) | |
rpc-clnt: fix memory corruption happening while encoding auth data.
- buffer containing authdata pointed by rpc-request was allocated on stack of
procedure rpc_clnt_fill_request, but was being used as source for xdr-encoding
in rpc_clnt_record_build_record. Hence by the time auth-data is being copied
during encoding of request, it might've been freed and hence contain garbage.
Signed-off-by: Raghavendra G <raghavendra@gluster.com>
Signed-off-by: Vijay Bellur <vijay@dev.gluster.com>
BUG: 875 (Implement a new protocol to provide proper backward/forward compatibility)
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=875
Diffstat (limited to 'rpc')
| -rw-r--r-- | rpc/rpc-lib/src/rpc-clnt.c | 22 | ||||
| -rw-r--r-- | rpc/rpc-lib/src/rpc-clnt.h | 1 |
2 files changed, 12 insertions, 11 deletions
diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c index 8d923ed5f43..52316a03a58 100644 --- a/rpc/rpc-lib/src/rpc-clnt.c +++ b/rpc/rpc-lib/src/rpc-clnt.c @@ -1034,10 +1034,9 @@ ret: int rpc_clnt_fill_request (int prognum, int progver, int procnum, int payload, uint64_t xid, struct auth_glusterfs_parms *au, - struct rpc_msg *request) + struct rpc_msg *request, char *auth_data) { int ret = -1; - char dest[1024] = {0,}; if (!request) { goto out; @@ -1056,14 +1055,14 @@ rpc_clnt_fill_request (int prognum, int progver, int procnum, int payload, /* TODO: Using AUTH_GLUSTERFS for time-being. Make it modular in * future so it is easy to plug-in new authentication schemes. */ - ret = xdr_serialize_glusterfs_auth (dest, au); + ret = xdr_serialize_glusterfs_auth (auth_data, au); if (ret == -1) { gf_log ("rpc-clnt", GF_LOG_DEBUG, "cannot encode credentials"); goto out; } request->rm_call.cb_cred.oa_flavor = AUTH_GLUSTERFS; - request->rm_call.cb_cred.oa_base = dest; + request->rm_call.cb_cred.oa_base = auth_data; request->rm_call.cb_cred.oa_length = ret; request->rm_call.cb_verf.oa_flavor = AUTH_NONE; @@ -1116,12 +1115,13 @@ rpc_clnt_record_build_record (struct rpc_clnt *clnt, int prognum, int progver, int procnum, size_t payload, uint64_t xid, struct auth_glusterfs_parms *au, struct iovec *recbuf) { - struct rpc_msg request = {0, }; - struct iobuf *request_iob = NULL; - char *record = NULL; - struct iovec recordhdr = {0, }; - size_t pagesize = 0; - int ret = -1; + struct rpc_msg request = {0, }; + struct iobuf *request_iob = NULL; + char *record = NULL; + struct iovec recordhdr = {0, }; + size_t pagesize = 0; + int ret = -1; + char auth_data[RPC_CLNT_MAX_AUTH_BYTES] = {0, }; if ((!clnt) || (!recbuf) || (!au)) { goto out; @@ -1142,7 +1142,7 @@ rpc_clnt_record_build_record (struct rpc_clnt *clnt, int prognum, int progver, /* Fill the rpc structure and XDR it into the buffer got above. */ ret = rpc_clnt_fill_request (prognum, progver, procnum, payload, xid, - au, &request); + au, &request, auth_data); if (ret == -1) { gf_log ("rpc-clnt", GF_LOG_DEBUG, "cannot build a rpc-request " "xid (%"PRIu64")", xid); diff --git a/rpc/rpc-lib/src/rpc-clnt.h b/rpc/rpc-lib/src/rpc-clnt.h index a0251c7c551..ab95608adb7 100644 --- a/rpc/rpc-lib/src/rpc-clnt.h +++ b/rpc/rpc-lib/src/rpc-clnt.h @@ -32,6 +32,7 @@ typedef enum { } rpc_clnt_event_t; #define AUTH_GLUSTERFS 5 +#define RPC_CLNT_MAX_AUTH_BYTES 1024 struct xptr_clnt; struct rpc_req; |