HardenedBSD/lib/libc/rpc/svc.c
Bill Paul 4c45fb08aa Correct a bug in the 'allow arbitrary number of socket descriptors' changes
made to the RPC code some months ago. The value of __svc_fdsetsize is being
calculated incorrectly.

Logically, one would assume that __svc_fdsetsize is being used as a
substitute for FD_SETSIZE, with the difference being that __svc_fdsetsize
can be expanded on the fly to accomodate more descriptors if need be.
There are two problems: first, __svc_fdsetsize is not initialized to 0.
Second, __svc_fdsetsize is being calculated in svc.c:xprt_registere() as:

                __svc_fdsetsize = howmany(sock+1, NFDBITS);

This is wrong. If we are adding a socket with index value 4 to the
descriptor set, then __svc_fdsetsize will be 1 (since fds_bits is
an unsigned long, it can support any descriptor from 0 to 31, so we
only need one of them). In order for this to make sense with the
rest of the code though, it should be:

                __svc_fdsetsize = howmany(sock+1, NFDBITS) * NFDBITS;

Now if sock == 4, __svc_fdsetsize will be 32.

This bug causes 2 errors to occur. First, in xprt_register(), it
causes the __svc_fdset descriptor array to be freed and reallocated
unnecessarily. The code checks if it needs to expand the array using
the test: if (sock + 1 > __svc_fdsetsize). The very first time through,
__svc_fdsetsize is 0, which is fine: an array has to be allocated the
first time out. However __svc_fdsetsize is incorrectly set to 1, so
on the second time through, the test (sock + 1 > __svc_fdsetsize)
will still succeed, and the __svc_fdset array will be destroyed and
reallocated for no reason.

Second, the code in svc_run.c:svc_run() can become hopelessly confused.
The svc_run() routine malloc()s its own fd_set array using the value
of __svc_fdsetsize to decide how much memory to allocate. Once the
xprt_register() function expands the __svc_fdset array the first time,
the value for __svc_fdsetsize becomes 2, which is too small: the resulting
calculation causes the code to allocate an array that's only 32 bits wide
when it actually needs 64 bits. It also uses the valuse of __svc_fdsetsize
when copying the contents of the __svc_fdset array into the new array.
The end result is that all but the first 32 file descriptors get lost.

Note: from what I can tell, this bug originated in OpenBSD and was
brought over to us when the code was merged. The bug is still there
in the OpenBSD source.

Total nervous breakdown averted by: Electric Fence 2.0.5
1997-10-14 21:50:17 +00:00

495 lines
12 KiB
C

/*
* Sun RPC is a product of Sun Microsystems, Inc. and is provided for
* unrestricted use provided that this legend is included on all tape
* media and as a part of the software program in whole or part. Users
* may copy or modify Sun RPC without charge, but are not authorized
* to license or distribute it to anyone else except as part of a product or
* program developed by the user.
*
* SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
* WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
* PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
*
* Sun RPC is provided with no support and without any obligation on the
* part of Sun Microsystems, Inc. to assist in its use, correction,
* modification or enhancement.
*
* SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
* INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
* OR ANY PART THEREOF.
*
* In no event will Sun Microsystems, Inc. be liable for any lost revenue
* or profits or other special, indirect and consequential damages, even if
* Sun has been advised of the possibility of such damages.
*
* Sun Microsystems, Inc.
* 2550 Garcia Avenue
* Mountain View, California 94043
*/
#if defined(LIBC_SCCS) && !defined(lint)
/*static char *sccsid = "from: @(#)svc.c 1.44 88/02/08 Copyr 1984 Sun Micro";*/
/*static char *sccsid = "from: @(#)svc.c 2.4 88/08/11 4.0 RPCSRC";*/
static char *rcsid = "$Id: svc.c,v 1.12 1997/05/28 05:05:23 wpaul Exp $";
#endif
/*
* svc.c, Server-side remote procedure call interface.
*
* There are two sets of procedures here. The xprt routines are
* for handling transport handles. The svc routines handle the
* list of service routines.
*
* Copyright (C) 1984, Sun Microsystems, Inc.
*/
#include <string.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <rpc/rpc.h>
#include <rpc/pmap_clnt.h>
static SVCXPRT **xports;
static int xportssize;
#define NULL_SVC ((struct svc_callout *)0)
#define RQCRED_SIZE 400 /* this size is excessive */
#define max(a, b) (a > b ? a : b)
/*
* The services list
* Each entry represents a set of procedures (an rpc program).
* The dispatch routine takes request structs and runs the
* apropriate procedure.
*/
static struct svc_callout {
struct svc_callout *sc_next;
u_long sc_prog;
u_long sc_vers;
void (*sc_dispatch)();
} *svc_head;
static struct svc_callout *svc_find();
int __svc_fdsetsize = 0;
fd_set *__svc_fdset = NULL;
/* *************** SVCXPRT related stuff **************** */
/*
* Activate a transport handle.
*/
void
xprt_register(xprt)
SVCXPRT *xprt;
{
register int sock = xprt->xp_sock;
if (sock + 1 > __svc_fdsetsize) {
int bytes = howmany(sock + 1, NFDBITS) * sizeof(fd_mask);
fd_set *fds;
fds = (fd_set *)malloc(bytes);
memset(fds, 0, bytes);
if (__svc_fdset) {
memcpy(fds, __svc_fdset, howmany(__svc_fdsetsize,
NFDBITS) * sizeof(fd_mask));
free(__svc_fdset);
}
__svc_fdset = fds;
__svc_fdsetsize = howmany(sock+1, NFDBITS) * NFDBITS;
}
if (sock < FD_SETSIZE)
FD_SET(sock, &svc_fdset);
FD_SET(sock, __svc_fdset);
if (xports == NULL || sock + 1 > xportssize) {
SVCXPRT **xp;
int size = FD_SETSIZE;
if (sock + 1 > size)
size = sock + 1;
xp = (SVCXPRT **)mem_alloc(size * sizeof(SVCXPRT *));
memset(xp, 0, size * sizeof(SVCXPRT *));
if (xports) {
memcpy(xp, xports, xportssize * sizeof(SVCXPRT *));
free(xports);
}
xportssize = size;
xports = xp;
}
xports[sock] = xprt;
svc_maxfd = max(svc_maxfd, sock);
}
/*
* De-activate a transport handle.
*/
void
xprt_unregister(xprt)
SVCXPRT *xprt;
{
register int sock = xprt->xp_sock;
if (xports[sock] == xprt) {
xports[sock] = (SVCXPRT *)0;
if (sock < FD_SETSIZE)
FD_CLR(sock, &svc_fdset);
FD_CLR(sock, __svc_fdset);
if (sock == svc_maxfd) {
for (svc_maxfd--; svc_maxfd >= 0; svc_maxfd--)
if (xports[svc_maxfd])
break;
}
/*
* XXX could use svc_maxfd as a hint to
* decrease the size of __svc_fdset
*/
}
}
/* ********************** CALLOUT list related stuff ************* */
/*
* Add a service program to the callout list.
* The dispatch routine will be called when a rpc request for this
* program number comes in.
*/
bool_t
svc_register(xprt, prog, vers, dispatch, protocol)
SVCXPRT *xprt;
u_long prog;
u_long vers;
void (*dispatch)();
int protocol;
{
struct svc_callout *prev;
register struct svc_callout *s;
if ((s = svc_find(prog, vers, &prev)) != NULL_SVC) {
if (s->sc_dispatch == dispatch)
goto pmap_it; /* he is registering another xptr */
return (FALSE);
}
s = (struct svc_callout *)mem_alloc(sizeof(struct svc_callout));
if (s == (struct svc_callout *)0) {
return (FALSE);
}
s->sc_prog = prog;
s->sc_vers = vers;
s->sc_dispatch = dispatch;
s->sc_next = svc_head;
svc_head = s;
pmap_it:
/* now register the information with the local binder service */
if (protocol) {
return (pmap_set(prog, vers, protocol, xprt->xp_port));
}
return (TRUE);
}
/*
* Remove a service program from the callout list.
*/
void
svc_unregister(prog, vers)
u_long prog;
u_long vers;
{
struct svc_callout *prev;
register struct svc_callout *s;
if ((s = svc_find(prog, vers, &prev)) == NULL_SVC)
return;
if (prev == NULL_SVC) {
svc_head = s->sc_next;
} else {
prev->sc_next = s->sc_next;
}
s->sc_next = NULL_SVC;
mem_free((char *) s, (u_int) sizeof(struct svc_callout));
/* now unregister the information with the local binder service */
(void)pmap_unset(prog, vers);
}
/*
* Search the callout list for a program number, return the callout
* struct.
*/
static struct svc_callout *
svc_find(prog, vers, prev)
u_long prog;
u_long vers;
struct svc_callout **prev;
{
register struct svc_callout *s, *p;
p = NULL_SVC;
for (s = svc_head; s != NULL_SVC; s = s->sc_next) {
if ((s->sc_prog == prog) && (s->sc_vers == vers))
goto done;
p = s;
}
done:
*prev = p;
return (s);
}
/* ******************* REPLY GENERATION ROUTINES ************ */
/*
* Send a reply to an rpc request
*/
bool_t
svc_sendreply(xprt, xdr_results, xdr_location)
register SVCXPRT *xprt;
xdrproc_t xdr_results;
caddr_t xdr_location;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = SUCCESS;
rply.acpted_rply.ar_results.where = xdr_location;
rply.acpted_rply.ar_results.proc = xdr_results;
return (SVC_REPLY(xprt, &rply));
}
/*
* No procedure error reply
*/
void
svcerr_noproc(xprt)
register SVCXPRT *xprt;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROC_UNAVAIL;
SVC_REPLY(xprt, &rply);
}
/*
* Can't decode args error reply
*/
void
svcerr_decode(xprt)
register SVCXPRT *xprt;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = GARBAGE_ARGS;
SVC_REPLY(xprt, &rply);
}
/*
* Some system error
*/
void
svcerr_systemerr(xprt)
register SVCXPRT *xprt;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = SYSTEM_ERR;
SVC_REPLY(xprt, &rply);
}
/*
* Authentication error reply
*/
void
svcerr_auth(xprt, why)
SVCXPRT *xprt;
enum auth_stat why;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_DENIED;
rply.rjcted_rply.rj_stat = AUTH_ERROR;
rply.rjcted_rply.rj_why = why;
SVC_REPLY(xprt, &rply);
}
/*
* Auth too weak error reply
*/
void
svcerr_weakauth(xprt)
SVCXPRT *xprt;
{
svcerr_auth(xprt, AUTH_TOOWEAK);
}
/*
* Program unavailable error reply
*/
void
svcerr_noprog(xprt)
register SVCXPRT *xprt;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROG_UNAVAIL;
SVC_REPLY(xprt, &rply);
}
/*
* Program version mismatch error reply
*/
void
svcerr_progvers(xprt, low_vers, high_vers)
register SVCXPRT *xprt;
u_long low_vers;
u_long high_vers;
{
struct rpc_msg rply;
rply.rm_direction = REPLY;
rply.rm_reply.rp_stat = MSG_ACCEPTED;
rply.acpted_rply.ar_verf = xprt->xp_verf;
rply.acpted_rply.ar_stat = PROG_MISMATCH;
rply.acpted_rply.ar_vers.low = low_vers;
rply.acpted_rply.ar_vers.high = high_vers;
SVC_REPLY(xprt, &rply);
}
/* ******************* SERVER INPUT STUFF ******************* */
/*
* Get server side input from some transport.
*
* Statement of authentication parameters management:
* This function owns and manages all authentication parameters, specifically
* the "raw" parameters (msg.rm_call.cb_cred and msg.rm_call.cb_verf) and
* the "cooked" credentials (rqst->rq_clntcred).
* However, this function does not know the structure of the cooked
* credentials, so it make the following assumptions:
* a) the structure is contiguous (no pointers), and
* b) the cred structure size does not exceed RQCRED_SIZE bytes.
* In all events, all three parameters are freed upon exit from this routine.
* The storage is trivially management on the call stack in user land, but
* is mallocated in kernel land.
*/
void
svc_getreq(rdfds)
int rdfds;
{
fd_set readfds;
FD_ZERO(&readfds);
readfds.fds_bits[0] = rdfds;
svc_getreqset(&readfds);
}
void
svc_getreqset(readfds)
fd_set *readfds;
{
svc_getreqset2(readfds, FD_SETSIZE);
}
void
svc_getreqset2(readfds, width)
fd_set *readfds;
int width;
{
enum xprt_stat stat;
struct rpc_msg msg;
int prog_found;
u_long low_vers;
u_long high_vers;
struct svc_req r;
register SVCXPRT *xprt;
register int bit;
register int sock;
register fd_mask mask, *maskp;
char cred_area[2*MAX_AUTH_BYTES + RQCRED_SIZE];
msg.rm_call.cb_cred.oa_base = cred_area;
msg.rm_call.cb_verf.oa_base = &(cred_area[MAX_AUTH_BYTES]);
r.rq_clntcred = &(cred_area[2*MAX_AUTH_BYTES]);
maskp = readfds->fds_bits;
for (sock = 0; sock < width; sock += NFDBITS) {
for (mask = *maskp++; (bit = ffs(mask)); mask ^= (1 << (bit - 1))) {
/* sock has input waiting */
xprt = xports[sock + bit - 1];
if (xprt == NULL)
/* But do we control sock? */
continue;
/* now receive msgs from xprtprt (support batch calls) */
do {
if (SVC_RECV(xprt, &msg)) {
/* now find the exported program and call it */
register struct svc_callout *s;
enum auth_stat why;
r.rq_xprt = xprt;
r.rq_prog = msg.rm_call.cb_prog;
r.rq_vers = msg.rm_call.cb_vers;
r.rq_proc = msg.rm_call.cb_proc;
r.rq_cred = msg.rm_call.cb_cred;
/* first authenticate the message */
if ((why= _authenticate(&r, &msg)) != AUTH_OK) {
svcerr_auth(xprt, why);
goto call_done;
}
/* now match message with a registered service*/
prog_found = FALSE;
low_vers = (u_long) - 1;
high_vers = 0;
for (s = svc_head; s != NULL_SVC; s = s->sc_next) {
if (s->sc_prog == r.rq_prog) {
if (s->sc_vers == r.rq_vers) {
(*s->sc_dispatch)(&r, xprt);
goto call_done;
} /* found correct version */
prog_found = TRUE;
if (s->sc_vers < low_vers)
low_vers = s->sc_vers;
if (s->sc_vers > high_vers)
high_vers = s->sc_vers;
} /* found correct program */
}
/*
* if we got here, the program or version
* is not served ...
*/
if (prog_found)
svcerr_progvers(xprt,
low_vers, high_vers);
else
svcerr_noprog(xprt);
/* Fall through to ... */
}
call_done:
if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
SVC_DESTROY(xprt);
break;
}
} while (stat == XPRT_MOREREQS);
}
}
}