Skip to content

Commit

Permalink
In clntudp_call(), it is possible that xdr_replymsg() might fail
Browse files Browse the repository at this point in the history
partway through its attempt to decode the result structure sent by
the server. If this happens, it can leave the result partially
populated with dynamically allocated memory. In this event, the
xdr_replymsg() failure is detected and RPC_CANTDECODERES is returned,
but the memory in the partially populated result struct is not
free()d.

The end result is that memory is leaked when an RPC_CANTDECODERES
error occurs. (This condition can occur if a CLIENT * handle is created
using clntudp_bufcreate() with a receive buffer size that is too small
to handle the result sent by the server.)

Fixed by setting reply_xdrs.x_op to XDR_FREE and calling
xdr_replymsg() again to free the memory if an RPC_CANTDECODERES error
is detected.

I suspect that the clnt_tcp.c, clnt_unix.c and clnt_raw.c modules
may ha a similar problem, but I haven't duplicated the condition with
those yet.

Found by: dbmalloc
  • Loading branch information
Bill Paul authored and Bill Paul committed Oct 26, 1997
1 parent be4ad1a commit acbf996
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions lib/libc/rpc/clnt_udp.c
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,20 @@ clntudp_call(cl, proc, xargs, argsp, xresults, resultsp, utimeout)
} /* end of unsuccessful completion */
} /* end of valid reply message */
else {
/*
* It's possible for xdr_replymsg() to fail partway
* through its attempt to decode the result from the
* server. If this happens, it will leave the reply
* structure partially populated with dynamically
* allocated memory. (This can happen if someone uses
* clntudp_bufcreate() to create a CLIENT handle and
* specifies a receive buffer size that is too small.)
* This memory must be free()ed to avoid a leak.
*/
int op = reply_xdrs.x_op;
reply_xdrs.x_op = XDR_FREE;
xdr_replymsg(&reply_xdrs, &reply_msg);
reply_xdrs.x_op = op;
cu->cu_error.re_status = RPC_CANTDECODERES;
}
if (fds != &readfds)
Expand Down

0 comments on commit acbf996

Please sign in to comment.