diff options
Diffstat (limited to 'src/lib/rpc/clnt_raw.c')
-rw-r--r-- | src/lib/rpc/clnt_raw.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c index ec5fa6f..44fbf5d 100644 --- a/src/lib/rpc/clnt_raw.c +++ b/src/lib/rpc/clnt_raw.c @@ -169,8 +169,23 @@ call_again: msg.acpted_rply.ar_verf = _null_auth; msg.acpted_rply.ar_results.where = resultsp; msg.acpted_rply.ar_results.proc = xresults; - if (! xdr_replymsg(xdrs, &msg)) + if (! xdr_replymsg(xdrs, &msg)) { + /* + * It's possible for xdr_replymsg() to fail partway + * through its attempt to decode the result from the + * server. If this happens, it will leave the reply + * structure partially populated with dynamically + * allocated memory. (This can happen if someone uses + * clntudp_bufcreate() to create a CLIENT handle and + * specifies a receive buffer size that is too small.) + * This memory must be free()ed to avoid a leak. + */ + int op = xdrs->x_op; + xdrs->x_op = XDR_FREE; + xdr_replymsg(xdrs, &msg); + xdrs->x_op = op; return (RPC_CANTDECODERES); + } sunrpc_seterr_reply(&msg, &error); status = error.re_status; |