From: Olaf Kirch Date: Tue, 16 Dec 2014 18:48:52 +0000 (-0500) Subject: Fix a crash in clntunix_create X-Git-Tag: libtirpc-0-2-6-rc2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8abf34ee3c5ea0b1dc48018edaf521abb3d0307c;p=libtirpc Fix a crash in clntunix_create Programs using clntunix_create would abort because glibc detected an attempt to free a bad pointer. It turns out that clntunix_create has two bugs: - it sets up a struct netbuf to hold the sockaddr_un passed into the function, but instead of copying the data, it just assigns the sockaddr pointer - and eventually tries to free that pointer. - when setting up the netbuf, it uses sizeof(raddr) instead of sizeof(*raddr). Instead of doing the trivial fixes, I changed the function to use the __rpc_set_netbuf utility function. While I was at it, I removed an unused local variable. Signed-off-by: Olaf Kirch Signed-off-by: Steve Dickson --- diff --git a/src/rpc_soc.c b/src/rpc_soc.c index 338edbb..e146ed4 100644 --- a/src/rpc_soc.c +++ b/src/rpc_soc.c @@ -564,16 +564,12 @@ clntunix_create(raddr, prog, vers, sockp, sendsz, recvsz) u_int sendsz; u_int recvsz; { - struct netbuf *svcaddr; - CLIENT *cl; + struct netbuf svcaddr = {0, 0, NULL}; + CLIENT *cl = NULL; int len; - cl = NULL; - svcaddr = NULL; - if (((svcaddr = malloc(sizeof(struct netbuf))) == NULL ) || - ((svcaddr->buf = malloc(sizeof(struct sockaddr_un))) == NULL)) { - if (svcaddr != NULL) - free(svcaddr); + memset(&svcaddr, 0, sizeof(svcaddr)); + if (__rpc_set_netbuf(&svcaddr, raddr, sizeof(*raddr)) == NULL) { rpc_createerr.cf_stat = RPC_SYSTEMERROR; rpc_createerr.cf_error.re_errno = errno; return(cl); @@ -590,14 +586,10 @@ clntunix_create(raddr, prog, vers, sockp, sendsz, recvsz) goto done; } } - svcaddr->buf = raddr; - svcaddr->len = sizeof(raddr); - svcaddr->maxlen = sizeof (struct sockaddr_un); - cl = clnt_vc_create(*sockp, svcaddr, prog, + cl = clnt_vc_create(*sockp, &svcaddr, prog, vers, sendsz, recvsz); done: - free(svcaddr->buf); - free(svcaddr); + free(svcaddr.buf); return(cl); }