svn commit: r318327 - in stable/10: contrib/netbsd-tests/lib/libc/rpc lib/libc/rpc

Mon May 15 23:13:51 UTC 2017

Author: brooks
Date: Mon May 15 23:13:49 2017
New Revision: 318327
URL: https://svnweb.freebsd.org/changeset/base/318327

Log:
  MFC r317660, r317710
  
  r317660:
  Support clnt_raw's use of FD_SETSIZE as a fake file descriptor.
  
  Accomplish this by allocating space for it in __svc_xports and allowing
  it to be registered.  The failure to allocate space was causing an
  out-of-bounds read in svc_getreq_common().  The failure to register
  caused PR 211804.
  
  The bug was found with CHERI bounds checking.
  
  PR:		211804
  Obtained from:	CheriBSD
  Sponsored by:	DARPA, AFRL
  Reviewed by:	ngie
  Differential Revision:	https://reviews.freebsd.org/D10528
  
  r317710:
  Remove expected failure now that it was fixed in r317660.
  
  PR:		211804
  Reviewed by:	ngie
  Obtained from:	CheriBSD
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D10576

Modified:
  stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c
  stable/10/lib/libc/rpc/svc.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c
==============================================================================

--- stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c	Mon May 15 23:12:04 2017	(r318326)
+++ stable/10/contrib/netbsd-tests/lib/libc/rpc/t_rpc.c	Mon May 15 23:13:49 2017	(r318327)
@@ -335,9 +335,6 @@ ATF_TC_BODY(raw, tc)
 #ifdef __FreeBSD_bug_216954__
 	atf_tc_expect_signal(SIGSEGV,
 	    "fails with SIGSEGV only on ^/stable/10 -- bug # 216954");
-#else
-	atf_tc_expect_fail("fails with: clnt_call: "
-	    "RPC: Can't decode result -- PR # 211804");
 #endif
 #endif
 	rawtest(NULL);

Modified: stable/10/lib/libc/rpc/svc.c
==============================================================================
--- stable/10/lib/libc/rpc/svc.c	Mon May 15 23:12:04 2017	(r318326)
+++ stable/10/lib/libc/rpc/svc.c	Mon May 15 23:13:49 2017	(r318327)
@@ -108,18 +108,19 @@ xprt_register(SVCXPRT *xprt)
 	rwlock_wrlock(&svc_fd_lock);
 	if (__svc_xports == NULL) {
 		__svc_xports = (SVCXPRT **)
-			mem_alloc(FD_SETSIZE * sizeof(SVCXPRT *));
+			mem_alloc((FD_SETSIZE + 1) * sizeof(SVCXPRT *));
 		if (__svc_xports == NULL) {
 			rwlock_unlock(&svc_fd_lock);
 			return;
 		}
-		memset(__svc_xports, '\0', FD_SETSIZE * sizeof(SVCXPRT *));
+		memset(__svc_xports, '\0', (FD_SETSIZE + 1) * sizeof(SVCXPRT *));
 	}
 	if (sock < FD_SETSIZE) {
 		__svc_xports[sock] = xprt;
 		FD_SET(sock, &svc_fdset);
 		svc_maxfd = max(svc_maxfd, sock);
-	}
+	} else if (sock == FD_SETSIZE)
+		__svc_xports[sock] = xprt;
 	rwlock_unlock(&svc_fd_lock);
 }
 
@@ -157,7 +158,8 @@ __xprt_do_unregister(SVCXPRT *xprt, bool
 				if (__svc_xports[svc_maxfd])
 					break;
 		}
-	}
+	} else if ((sock == FD_SETSIZE) && (__svc_xports[sock] == xprt))
+		__svc_xports[sock] = NULL;
 	if (dolock)
 		rwlock_unlock(&svc_fd_lock);
 }
