xdr: avoid xdr_enum memory overrun

Since openafs-ibm-1_0, xdr_enum has used xdr_long to read and write, even
though enum_t is defined as int.  For systems where sizeof(int) ==
sizeof(long), this works by accident.  But other systems (e.g., DARWIN
ARCHFLAGS=x86_64) xdr_enum will overrun its int-sized second parameter.  For
XDR_DECODE, this results in memory corruption.

This was first noticed with OpenAFS 1.8.0 on macOS 10.13; if aklog is issued
while already holding a token, it will fail in token_SetsEquivalent with a
segfault in decodeToken.  The root cause is that the address passed to
decodeToken had been overwritten by a previous call to tokenType -> xdr_enum ->
xdr_long.

Instead, modify xdr_enum to use xdr_int for its work.

Change-Id: I671d55588d88e0640f365624b83bd04b53dc97cc
Reviewed-on: https://gerrit.openafs.org/13075
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/src/rx/xdr.c b/src/rx/xdr.c
index df6d179..fa106c8 100644 (file)
--- a/src/rx/xdr.c
+++ b/src/rx/xdr.c
@@ -338,7 +338,7 @@ xdr_enum(XDR * xdrs, enum_t * ep)
      * enums are treated as ints
      */
 
-    return (xdr_long(xdrs, (long *)ep));
+    return (xdr_int(xdrs, ep));
 
 }