My first opensolaris contributed bugfix.  I have fixed

    6203874 ypxfrd coredumps in x86 master/SPARC slave scenarios


Updated analysis for the bug:

Root cause for the coredump is that the original code is encoding the
pagebuffer into network byteorder when mygetpage() hasn't returned OK;
that is, when mygetpage() must have returned with GETDBM_EOF.

In the GETDBM_EOF case, no new data was filled into the "pagblock".
The code in the DOSWAB section reads an already byteswapped length
"cnt = s[0]" from the previous loop, and uses this bogus length to byteswap
a block of shorts in memory.  Using the bogus length, it corrupts this
memory block; the corruption is not limited to the local
static variable "static  struct pag res;".


Suggested fix:

*** usr/src/cmd/ypcmd/ypxfrd_server.c~  Tue Jun 14 09:44:51 2005
--- usr/src/cmd/ypcmd/ypxfrd_server.c   Tue Jun 28 18:45:11 2005
***************
*** 267,276 ****
        res.status = mygetpage(res.pag_u.ok.blkdat, &(res.pag_u.ok.blkno), m);

  #ifdef DOSWAB
!       s = (short *)res.pag_u.ok.blkdat;
!       cnt = s[0];
!       for (i = 0; i <= cnt; i++)
!               s[i] = ntohs(s[i]);
  #endif

        if (!xdr_pag(xdrs, &res))
--- 267,278 ----
        res.status = mygetpage(res.pag_u.ok.blkdat, &(res.pag_u.ok.blkno), m);

  #ifdef DOSWAB
!       if (res.status == OK) {
!               s = (short *)res.pag_u.ok.blkdat;
!               cnt = s[0];
!               for (i = 0; i <= cnt; i++)
!                       s[i] = htons(s[i]);
!       }
  #endif

        if (!xdr_pag(xdrs, &res))
***************
*** 283,292 ****
                                        &(res.pag_u.ok.blkno), m);

  #ifdef DOSWAB
!               s = (short *)res.pag_u.ok.blkdat;
!               cnt = s[0];
!               for (i = 0; i <= cnt; i++)
!                       s[i] = ntohs(s[i]);
  #endif

                if (!xdr_pag(xdrs, &res))
--- 285,296 ----
                                        &(res.pag_u.ok.blkno), m);

  #ifdef DOSWAB
!               if (res.status == OK) {
!                       s = (short *)res.pag_u.ok.blkdat;
!                       cnt = s[0];
!                       for (i = 0; i <= cnt; i++)
!                               s[i] = htons(s[i]);
!               }
  #endif

                if (!xdr_pag(xdrs, &res))
This message posted from opensolaris.org

Reply via email to