If I read the code correctly (xdr_inline.h), nodesize==0 connotes "read 0
bytes." So the surrounding code should not index into any such bytes in that
case, if it can in fact arise. I also am not sure what that case would mean.
Matt
----- Original Message -----
> From: "Soumya Koduri" <skod...@redhat.com>
> To: "Matt W. Benjamin" <m...@linuxbox.com>, "Daniel Gryniewicz"
> <d...@redhat.com>
> Cc: nfs-ganesha-devel@lists.sourceforge.net
> Sent: Monday, February 15, 2016 4:40:15 AM
> Subject: [Nfs-ganesha-devel] SIGSEGV in "xdr_nfs_fh3()"
>
> Hi Matt/Daniel,
>
> There is a crash reported due to SIGSEGV in "xdr_nfs_fh3()" [1]. As
> mentioned in the comments [2], we couldn't analyze the core, but when
> inspected the code, found a potential issue.
>
>
> In 'xdr_nfs_fh3(..)' {
>
> .....
> 458 if (!xdr_bytes
> 459 (xdrs, (char **)&objp->data.data_val,
> 460 (u_int *) & objp->data.data_len, 64))
> 461 return (false);
> 462
> 463 if (xdrs->x_op == XDR_DECODE) {
> 464 fh = (file_handle_v3_t *)objp->data.data_val;
> 465 fh->exportid = ntohs(fh->exportid);
> 466 }
>
> ...........
> }
>
> In xdr_bytes(..) {
> ....
> 522 case XDR_DECODE:
> 523 if (nodesize == 0)
> 524 return (true);
> 525 if (sp == NULL)
> 526 *cpp = sp = mem_alloc(nodesize);
> 527 if (sp == NULL) {
> 528 __warnx(TIRPC_DEBUG_FLAG_XDR,
> 529 "xdr_bytes: out of memory");
> 530 return (false);
> 531 }
>
>
>
> ...........
> }
>
> In the above routine (xdr_bytes), if nodesize is '0' (line:522) we
> return true without allocating any memory. And in 'xdr_nfs_fh3()', we
> shall end up de-referencing this unallocated memory at line 465.
>
> I am not sure in what cases nodesize could be '0' and how we can extract
> filehandle from the xdr object then. Could you please confirm the same.
>
>
> Thanks,
> Soumya
>
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1306691
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1306691#c5
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Nfs-ganesha-devel mailing list
> Nfs-ganesha-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
>
--
--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-707-0660
fax. 734-769-8938
cel. 734-216-5309
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
