diff options
-rw-r--r-- | src/lib/rpc/ChangeLog | 7 | ||||
-rw-r--r-- | src/lib/rpc/svc.c | 20 |
2 files changed, 21 insertions, 6 deletions
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index f58e800985..1e90d7fdaa 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,10 @@ +2004-08-17 Tom Yu <tlyu@mit.edu> + + * svc.c (svc_getreqset): Allocate cred and verf memory to + temporary pointers, and free the temporary pointers on exit. + Freeing the actual cred and verf pointers can cause corruption + because auth mechanisms can reassign the pointers. + 2004-08-16 Tom Yu <tlyu@mit.edu> * svc_auth_gss.c (gssrpc__svcauth_gss): Add some debug messages. diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index e7f3243cfa..ac69df48f1 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -420,10 +420,18 @@ svc_getreqset(readfds) register SVCXPRT *xprt; register int sock; bool_t no_dispatch; + caddr_t rawcred, rawverf, cookedcred; - msg.rm_call.cb_cred.oa_base = mem_alloc(MAX_AUTH_BYTES); - msg.rm_call.cb_verf.oa_base = mem_alloc(MAX_AUTH_BYTES); - r.rq_clntcred = mem_alloc(RQCRED_SIZE); + rawcred = mem_alloc(MAX_AUTH_BYTES); + rawverf = mem_alloc(MAX_AUTH_BYTES); + cookedcred = mem_alloc(RQCRED_SIZE); + + if (rawcred == NULL || rawverf == NULL || cookedcred == NULL) + return; + + msg.rm_call.cb_cred.oa_base = rawcred; + msg.rm_call.cb_verf.oa_base = rawverf; + r.rq_clntcred = cookedcred; #ifdef FD_SETSIZE for (sock = 0; sock <= max_xport; sock++) { @@ -497,7 +505,7 @@ svc_getreqset(readfds) } while (stat == XPRT_MOREREQS); } } - mem_free(msg.rm_call.cb_cred.oa_base, MAX_AUTH_BYTES); - mem_free(msg.rm_call.cb_verf.oa_base, MAX_AUTH_BYTES); - mem_free(r.rq_clntcred, RQCRED_SIZE); + mem_free(rawcred, MAX_AUTH_BYTES); + mem_free(rawverf, MAX_AUTH_BYTES); + mem_free(cookedcred, RQCRED_SIZE); } |