Race in Race in clnt_vc_create

 The function clnt_create is *not* thread safe. Race conditions in the
function clnt_vc_create that accesses static data disrupt, which is
*not* protected by any mutex. When more than one thread access it
it has become a nonlocal side effect . This race conditions can lead to
undesired behaviour . By introducing the mutex disrupt_lock
the function clnt_vc_create is serialized

Signed-off-by: Susant Sahani <ssahani@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/src/clnt_vc.c b/src/clnt_vc.c
index 2eab9e4c001af9c9769680276087de8376b7db88..61264d448941752b21d141dc7317bcd392b8ee8e 100644 (file)
--- a/src/clnt_vc.c
+++ b/src/clnt_vc.c
@@ -133,6 +133,7 @@ struct ct_data {
  *      should be the first thing fixed.  One step at a time.
  */
 static int      *vc_fd_locks;
+extern pthread_mutex_t disrupt_lock;
 extern mutex_t  clnt_fd_lock;
 static cond_t   *vc_cv;
 #define release_fd_lock(fd, mask) {    \
@@ -179,8 +180,10 @@ clnt_vc_create(fd, raddr, prog, vers, sendsz, recvsz)
        socklen_t slen;
        struct __rpc_sockinfo si;
 
+       mutex_lock(&disrupt_lock);
        if (disrupt == 0)
                disrupt = (u_int32_t)(long)raddr;
+       mutex_unlock(&disrupt_lock);
 
        cl = (CLIENT *)mem_alloc(sizeof (*cl));
        ct = (struct ct_data *)mem_alloc(sizeof (*ct));
@@ -270,7 +273,9 @@ clnt_vc_create(fd, raddr, prog, vers, sendsz, recvsz)
         * Initialize call message
         */
        (void)gettimeofday(&now, NULL);
+       mutex_lock(&disrupt_lock);
        call_msg.rm_xid = ((u_int32_t)++disrupt) ^ __RPC_GETXID(&now);
+       mutex_unlock(&disrupt_lock);
        call_msg.rm_direction = CALL;
        call_msg.rm_call.cb_rpcvers = RPC_MSG_VERSION;
        call_msg.rm_call.cb_prog = (u_int32_t)prog;

diff --git a/src/mt_misc.c b/src/mt_misc.c
index ddbb0a5bb71c27b60747aee6249ad3e8377a86c6..d459dec7b9d9de31e288fb314c48a78cca4a345f 100644 (file)
--- a/src/mt_misc.c
+++ b/src/mt_misc.c
@@ -97,6 +97,9 @@ pthread_mutex_t nc_db_lock = PTHREAD_MUTEX_INITIALIZER;
 /* protects static port and startport (bindresvport.c) */
 pthread_mutex_t port_lock = PTHREAD_MUTEX_INITIALIZER;
 
+/* protects static disrupt (clnt_vc.c) */
+pthread_mutex_t disrupt_lock = PTHREAD_MUTEX_INITIALIZER;
+
 #undef rpc_createerr
 
 struct rpc_createerr rpc_createerr;