From owner-freebsd-bugs@FreeBSD.ORG Tue Oct 9 22:30:07 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A10FF290 for ; Tue, 9 Oct 2012 22:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id 78BBE8FC1A for ; Tue, 9 Oct 2012 22:30:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q99MU7lN042496 for ; Tue, 9 Oct 2012 22:30:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q99MU7YC042495; Tue, 9 Oct 2012 22:30:07 GMT (envelope-from gnats) Resent-Date: Tue, 9 Oct 2012 22:30:07 GMT Resent-Message-Id: <201210092230.q99MU7YC042495@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Erik Cederstrand Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52E04C8D for ; Tue, 9 Oct 2012 14:20:43 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 3B2158FC1C for ; Tue, 9 Oct 2012 14:20:43 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q99EKgju097230 for ; Tue, 9 Oct 2012 14:20:42 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id q99EKgpD097229; Tue, 9 Oct 2012 14:20:42 GMT (envelope-from nobody) Message-Id: <201210091420.q99EKgpD097229@red.freebsd.org> Date: Tue, 9 Oct 2012 14:20:42 GMT From: Erik Cederstrand To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: misc/172523: rpc.lockd: Check value of res->ai_family X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Oct 2012 22:30:07 -0000 >Number: 172523 >Category: misc >Synopsis: rpc.lockd: Check value of res->ai_family >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 09 22:30:06 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Erik Cederstrand >Release: CURRENT >Organization: >Environment: >Description: Found with Clang Static Analyzer: http://scan.freebsd.your.org/freebsd-head/WORLD/2012-10-07-amd64/report-Ap4YNc.html#EndPath Similar to the create_service() function, lookup_addresses() should fail if the value of res->ai_family is neither AF_INET of AF_INET6. The base type for res->ai_family is int, so there is no constraint that the value is with AF_INET or AF_INET6. >How-To-Repeat: >Fix: See attached patch. Instead of "break;" in the default switch, fail like create_service() function does. Patch attached with submission follows: Index: head/usr.sbin/rpc.lockd/lockd.c =================================================================== --- head/usr.sbin/rpc.lockd/lockd.c (revision 241370) +++ head/usr.sbin/rpc.lockd/lockd.c (working copy) @@ -920,7 +920,10 @@ res->ai_addrlen = (socklen_t) sizeof(res->ai_addr); break; default: - break; + syslog(LOG_ERR, + "bad addr fam %d", + res->ai_family); + exit(1); } } else { if ((aicode = getaddrinfo(NULL, svcport_str, >Release-Note: >Audit-Trail: >Unformatted: