Date: Tue, 9 Oct 2012 14:20:42 GMT From: Erik Cederstrand <erik@cederstrand.dk> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/172523: rpc.lockd: Check value of res->ai_family Message-ID: <201210091420.q99EKgpD097229@red.freebsd.org> Resent-Message-ID: <201210092230.q99MU7YC042495@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 172523 >Category: misc >Synopsis: rpc.lockd: Check value of res->ai_family >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 09 22:30:06 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Erik Cederstrand >Release: CURRENT >Organization: >Environment: >Description: Found with Clang Static Analyzer: http://scan.freebsd.your.org/freebsd-head/WORLD/2012-10-07-amd64/report-Ap4YNc.html#EndPath Similar to the create_service() function, lookup_addresses() should fail if the value of res->ai_family is neither AF_INET of AF_INET6. The base type for res->ai_family is int, so there is no constraint that the value is with AF_INET or AF_INET6. >How-To-Repeat: >Fix: See attached patch. Instead of "break;" in the default switch, fail like create_service() function does. Patch attached with submission follows: Index: head/usr.sbin/rpc.lockd/lockd.c =================================================================== --- head/usr.sbin/rpc.lockd/lockd.c (revision 241370) +++ head/usr.sbin/rpc.lockd/lockd.c (working copy) @@ -920,7 +920,10 @@ res->ai_addrlen = (socklen_t) sizeof(res->ai_addr); break; default: - break; + syslog(LOG_ERR, + "bad addr fam %d", + res->ai_family); + exit(1); } } else { if ((aicode = getaddrinfo(NULL, svcport_str, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210091420.q99EKgpD097229>