date of the report (which has been done twice so far) but to do so Core
requires concrete details and a committed date for the release of a fix
noting that it wasn't until AusCERT's email from April 14th that the
possibility that the vendor would release of a patch seemed realistic.
Core is willing to postpone publication of the report provided that the
vendor commits to release a fix no later than June 30th (the upper bound
to the promised mid-year deadline indicated by the vendor). Core also
reminds the CERTs that its intent in notifying them of the bug was to
help to coordinate a way to address the bug should an official patch or
fix is not made available by the vendor.
The variable svc_maxfd tracks the highest-numbered file descriptor
registered with the RPC library as a transport handle. While the
registration function does check that the file descriptor number is
less than FD_SETSIZE for array references, the code for updating
svc_maxfd is not so protected. Elsewhere, svc_maxfd is used as an
upper bound for array indexing, and as the maximum file descriptor
number to pass to select().
In 1.2.2, the variable is called max_xport, and is checked against the
value returned by _gssrpc_rpc_dtablesize(), but while that function
checks FD_SETSIZE if it's defined, the source file containing it only
The variable svc_maxfd tracks the highest-numbered file descriptor
registered with the RPC library as a transport handle. While the
registration function does check that the file descriptor number is
less than FD_SETSIZE for array references, the code for updating
svc_maxfd is not so protected. Elsewhere, svc_maxfd is used as an
upper bound for array indexing, and as the maximum file descriptor
number to pass to select().
In 1.2.2, the variable is called max_xport, and is checked against the
value returned by _gssrpc_rpc_dtablesize(), but while that function
checks FD_SETSIZE if it's defined, the source file containing it only
The vulnerability resides in the object stream handler. In particular,
a multiplicative overflow occurs when a large number of embedded objects
are specified. An overflow check was in place in the code, but it only
protected related calls to gmalloc(). The C++ object array allocation
code (new[]) is not guarded by the upper bound check and the call to
new[] does not result in an exception with gcc. This results in bytes
being written after the valid heap allocation during object
construction.
Both software packages have released fixed versions which limit the allowed
