From owner-freebsd-bugs@FreeBSD.ORG  Fri Feb  4 10:10:10 2011
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 57A3D1065673
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  4 Feb 2011 10:10:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id B34888FC18
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  4 Feb 2011 10:10:09 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p14AA9Id017444
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 4 Feb 2011 10:10:09 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p14AA9sV017443;
	Fri, 4 Feb 2011 10:10:09 GMT (envelope-from gnats)
Resent-Date: Fri, 4 Feb 2011 10:10:09 GMT
Resent-Message-Id: <201102041010.p14AA9sV017443@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 19171106564A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri,  4 Feb 2011 10:09:14 +0000 (UTC)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from comsys.kpi.ua (comsys.kpi.ua [77.47.192.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 92EE68FC0A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri,  4 Feb 2011 10:09:13 +0000 (UTC)
Received: from pm513-1.comsys.kpi.ua ([10.18.52.101]
	helo=pm513-1.comsys.ntu-kpi.kiev.ua)
	by comsys.kpi.ua with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63)
	(envelope-from <simon@comsys.ntu-kpi.kiev.ua>) id 1PlIac-0006XY-Au
	for FreeBSD-gnats-submit@freebsd.org; Fri, 04 Feb 2011 12:08:30 +0200
Received: by pm513-1.comsys.ntu-kpi.kiev.ua (Postfix, from userid 1001)
	id DBC591CC1E; Fri,  4 Feb 2011 12:09:12 +0200 (EET)
Message-Id: <20110204100912.GA47729@pm513-1.comsys.ntu-kpi.kiev.ua>
Date: Fri, 4 Feb 2011 12:09:12 +0200
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: 
Subject: bin/154505: Buffer underflow in RPC library for non-blocking TCP
	sockets
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2011 10:10:10 -0000


>Number:         154505
>Category:       bin
>Synopsis:       Buffer underflow in RPC library for non-blocking TCP sockets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 04 10:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Simonenko
>Release:        FreeBSD 8.2-PRERELEASE and 9.0-CURRENT
>Organization:
>Environment:
>Description:

The libc/rpc/svc_vc.c:write_vc() function calls _write() and sends data
to opened TCP connection.  For non-blocking socket it has something like
timeout in 2 seconds (actually write_vc() can spend more real time for
sending for non-blocking socket).  The i variable is used for offset in
a buffer and as a counter at the same time.  When _write() fails this
variable got the -1 value and this value as added to the buffer address
and to the counter (the buffer address is decreased and the counter value
actually is increased).  So we get buffer underflow.

As a result write_vc() can send data that does not belong to data that
were expected to be sent, so this is a security mistake for any program
that use RPC with a non-blocking TCP socket.

>How-To-Repeat:

Run any RPC program that transfers big data over non-blocking TCP socket.
A client will receive truncated data or garbage data, or data that should
not be sent to a client (everything depends on how memory blocks were
allocated in a server).

>Fix:
This this the update (this is the minimal version, without optimization):

--- svc_vc.c.orig	2009-08-03 11:13:06.000000000 +0300
+++ svc_vc.c	2011-01-31 11:31:28.000000000 +0200
@@ -546,7 +546,7 @@ write_vc(xprtp, buf, len)
 				cd->strm_stat = XPRT_DIED;
 				return (-1);
 			}
-			if (cd->nonblock && i != cnt) {
+			if (cd->nonblock) {
 				/*
 				 * For non-blocking connections, do not
 				 * take more than 2 seconds writing the
@@ -560,6 +560,7 @@ write_vc(xprtp, buf, len)
 					return (-1);
 				}
 			}
+			i = 0;
 		}
 	}
>Release-Note:
>Audit-Trail:
>Unformatted: