From simon@comsys.ntu-kpi.kiev.ua  Fri Feb  4 10:09:14 2011
Return-Path: <simon@comsys.ntu-kpi.kiev.ua>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 19171106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  4 Feb 2011 10:09:14 +0000 (UTC)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from comsys.kpi.ua (comsys.kpi.ua [77.47.192.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 92EE68FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  4 Feb 2011 10:09:13 +0000 (UTC)
Received: from pm513-1.comsys.kpi.ua ([10.18.52.101] helo=pm513-1.comsys.ntu-kpi.kiev.ua)
	by comsys.kpi.ua with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <simon@comsys.ntu-kpi.kiev.ua>)
	id 1PlIac-0006XY-Au
	for FreeBSD-gnats-submit@freebsd.org; Fri, 04 Feb 2011 12:08:30 +0200
Received: by pm513-1.comsys.ntu-kpi.kiev.ua (Postfix, from userid 1001)
	id DBC591CC1E; Fri,  4 Feb 2011 12:09:12 +0200 (EET)
Message-Id: <20110204100912.GA47729@pm513-1.comsys.ntu-kpi.kiev.ua>
Date: Fri, 4 Feb 2011 12:09:12 +0200
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Buffer underflow in RPC library for non-blocking TCP sockets

>Number:         154505
>Category:       kern
>Synopsis:       [libc] [patch]Buffer underflow in RPC library for non-blocking TCP sockets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rmacklem
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 04 10:10:09 UTC 2011
>Closed-Date:    Thu Oct 20 22:41:51 UTC 2011
>Last-Modified:  Thu Oct 20 22:41:51 UTC 2011
>Originator:     Andrey Simonenko
>Release:        FreeBSD 8.2-PRERELEASE and 9.0-CURRENT
>Organization:
>Environment:
>Description:

The libc/rpc/svc_vc.c:write_vc() function calls _write() and sends data
to opened TCP connection.  For non-blocking socket it has something like
timeout in 2 seconds (actually write_vc() can spend more real time for
sending for non-blocking socket).  The i variable is used for offset in
a buffer and as a counter at the same time.  When _write() fails this
variable got the -1 value and this value as added to the buffer address
and to the counter (the buffer address is decreased and the counter value
actually is increased).  So we get buffer underflow.

As a result write_vc() can send data that does not belong to data that
were expected to be sent, so this is a security mistake for any program
that use RPC with a non-blocking TCP socket.

>How-To-Repeat:

Run any RPC program that transfers big data over non-blocking TCP socket.
A client will receive truncated data or garbage data, or data that should
not be sent to a client (everything depends on how memory blocks were
allocated in a server).

>Fix:
This this the update (this is the minimal version, without optimization):

--- svc_vc.c.orig	2009-08-03 11:13:06.000000000 +0300
+++ svc_vc.c	2011-01-31 11:31:28.000000000 +0200
@@ -546,7 +546,7 @@ write_vc(xprtp, buf, len)
 				cd->strm_stat = XPRT_DIED;
 				return (-1);
 			}
-			if (cd->nonblock && i != cnt) {
+			if (cd->nonblock) {
 				/*
 				 * For non-blocking connections, do not
 				 * take more than 2 seconds writing the
@@ -560,6 +560,7 @@ write_vc(xprtp, buf, len)
 					return (-1);
 				}
 			}
+			i = 0;
 		}
 	}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: rmacklem 
State-Changed-When: Mon Apr 11 20:15:10 UTC 2011 
State-Changed-Why:  


The patch has been applied to head and will be MFC'd in 2 weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154505 
Responsible-Changed-From-To: freebsd-bugs->rmacklem 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Oct 12 14:44:42 UTC 2011 
Responsible-Changed-Why:  
Reassign to last person to poke at this :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154505 
State-Changed-From-To: patched->closed 
State-Changed-By: rmacklem 
State-Changed-When: Thu Oct 20 22:40:45 UTC 2011 
State-Changed-Why:  

The patch that fixed this (r220519) has now been MFC'd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154505 
>Unformatted:
