On 02/15/2016 09:44 PM, Matt Benjamin wrote:
> If I read the code correctly (xdr_inline.h), nodesize==0 connotes "read 0
> bytes." So the surrounding code should not index into any such bytes in that
> case, if it can in fact arise. I also am not sure what that case would mean.
>
Thanks Matt. So can the fix be to return false when nodesize is '0'?
-Soumya
> Matt
>
> ----- Original Message -----
>> From: "Soumya Koduri" <skod...@redhat.com>
>> To: "Matt W. Benjamin" <m...@linuxbox.com>, "Daniel Gryniewicz"
>> <d...@redhat.com>
>> Cc: nfs-ganesha-devel@lists.sourceforge.net
>> Sent: Monday, February 15, 2016 4:40:15 AM
>> Subject: [Nfs-ganesha-devel] SIGSEGV in "xdr_nfs_fh3()"
>>
>> Hi Matt/Daniel,
>>
>> There is a crash reported due to SIGSEGV in "xdr_nfs_fh3()" [1]. As
>> mentioned in the comments [2], we couldn't analyze the core, but when
>> inspected the code, found a potential issue.
>>
>>
>> In 'xdr_nfs_fh3(..)' {
>>
>> .....
>> 458 if (!xdr_bytes
>> 459 (xdrs, (char **)&objp->data.data_val,
>> 460 (u_int *) & objp->data.data_len, 64))
>> 461 return (false);
>> 462
>> 463 if (xdrs->x_op == XDR_DECODE) {
>> 464 fh = (file_handle_v3_t *)objp->data.data_val;
>> 465 fh->exportid = ntohs(fh->exportid);
>> 466 }
>>
>> ...........
>> }
>>
>> In xdr_bytes(..) {
>> ....
>> 522 case XDR_DECODE:
>> 523 if (nodesize == 0)
>> 524 return (true);
>> 525 if (sp == NULL)
>> 526 *cpp = sp = mem_alloc(nodesize);
>> 527 if (sp == NULL) {
>> 528 __warnx(TIRPC_DEBUG_FLAG_XDR,
>> 529 "xdr_bytes: out of memory");
>> 530 return (false);
>> 531 }
>>
>>
>>
>> ...........
>> }
>>
>> In the above routine (xdr_bytes), if nodesize is '0' (line:522) we
>> return true without allocating any memory. And in 'xdr_nfs_fh3()', we
>> shall end up de-referencing this unallocated memory at line 465.
>>
>> I am not sure in what cases nodesize could be '0' and how we can extract
>> filehandle from the xdr object then. Could you please confirm the same.
>>
>>
>> Thanks,
>> Soumya
>>
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1306691
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1306691#c5
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>> _______________________________________________
>> Nfs-ganesha-devel mailing list
>> Nfs-ganesha-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
>>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
