From 4b2e40a9259fab08161e1c607b06a41e15d543dc Mon Sep 17 00:00:00 2001
From: Stefan Liebler <stli@linux.ibm.com>
Date: Fri, 4 Dec 2020 17:00:27 +0100
Subject: Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.

If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
gcc 11 dumps this warning:
svc_tcp.c: In function 'rendezvous_request':
svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
  274 |   memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

In out-of-memory case, if one of the mallocs in makefd_xprt function
returns NULL, a message is dumped, makefd_xprt returns NULL
and the subsequent memcpy would copy to NULL.

Instead of a segfaulting, we delay a bit (see also __svc_accept_failed
and Bug 14889 (CVE-2011-4609) - svc_run() produces high cpu usage when
accept() fails with EMFILE (CVE-2011-4609).

The same applies to svc_unix.c.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
 include/rpc/svc.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include')

diff --git a/include/rpc/svc.h b/include/rpc/svc.h
index 465bf44..d9c0e8f 100644
--- a/include/rpc/svc.h
+++ b/include/rpc/svc.h
@@ -38,6 +38,7 @@ libc_hidden_proto (svc_getreq_common)
 libc_hidden_proto (svc_getreq_poll)
 
 extern void __svc_accept_failed (void) attribute_hidden;
+extern void __svc_wait_on_error (void) attribute_hidden;
 
 # endif /* !_ISOMAC */
 #endif
-- 
cgit v1.1