From: Mark Vitale Date: Wed, 6 Jun 2018 19:23:26 +0000 (-0400) Subject: xdr: avoid xdr_enum memory overrun X-Git-Tag: upstream/1.8.1_pre2^2~15 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=101c114bd3bcc662c49a565dffc597a70ef1ea80;p=packages%2Fo%2Fopenafs.git xdr: avoid xdr_enum memory overrun Since openafs-ibm-1_0, xdr_enum has used xdr_long to read and write, even though enum_t is defined as int. For systems where sizeof(int) == sizeof(long), this works by accident. But other systems (e.g., DARWIN ARCHFLAGS=x86_64) xdr_enum will overrun its int-sized second parameter. For XDR_DECODE, this results in memory corruption. This was first noticed with OpenAFS 1.8.0 on macOS 10.13; if aklog is issued while already holding a token, it will fail in token_SetsEquivalent with a segfault in decodeToken. The root cause is that the address passed to decodeToken had been overwritten by a previous call to tokenType -> xdr_enum -> xdr_long. Instead, modify xdr_enum to use xdr_int for its work. Reviewed-on: https://gerrit.openafs.org/13075 Tested-by: BuildBot Reviewed-by: Andrew Deason Reviewed-by: Benjamin Kaduk (cherry picked from commit eb1d2ef203a2a99c908b3b89d9ea8337a91b944b) Change-Id: I548ab43fe4513262b6be0608be45bfd8580e6ed8 Reviewed-on: https://gerrit.openafs.org/13183 Tested-by: BuildBot Reviewed-by: Michael Meffie Reviewed-by: Joe Gorse Reviewed-by: Andrew Deason Reviewed-by: Marcio Brito Barbosa Reviewed-by: Mark Vitale Reviewed-by: Benjamin Kaduk --- diff --git a/src/rx/xdr.c b/src/rx/xdr.c index df6d179c5..fa106c8dc 100644 --- a/src/rx/xdr.c +++ b/src/rx/xdr.c @@ -338,7 +338,7 @@ xdr_enum(XDR * xdrs, enum_t * ep) * enums are treated as ints */ - return (xdr_long(xdrs, (long *)ep)); + return (xdr_int(xdrs, ep)); }