From d1999dc956469c4fa3a899ca0ebc46d978e79d68 Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Mon, 11 Oct 2021 00:55:14 +0300
Subject: [PATCH] Don't try to ZDR_DECODE strings into a pre-existing pointer

Otherwise it segfaults inside any string decoding inside rpc_process_call()
as it doesn't zero the allocated memory, so libnfs_zdr_string() may receive
non-zero *strp which is very easy to reproduce by writing a simple NFS server
example using libnfs :-)
---
 lib/libnfs-zdr.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/libnfs-zdr.c b/lib/libnfs-zdr.c
index b13e49d..1896851 100644
--- a/lib/libnfs-zdr.c
+++ b/lib/libnfs-zdr.c
@@ -297,15 +297,11 @@ bool_t libnfs_zdr_string(ZDR *zdrs, char **strp, uint32_t maxsize)
 		 * in place.
 		 */
 	  if (zdrs->size > zdrs->pos + (int)size && zdrs->buf[zdrs->pos + size] == 0) {
-			if (*strp == NULL) {
-				*strp = &zdrs->buf[zdrs->pos];
-                                (*strp)[size] = 0;
-                                zdrs->pos += size;
-                                zdrs->pos = (zdrs->pos + 3) & ~3;
-                                return TRUE;
-			}
+			*strp = &zdrs->buf[zdrs->pos];
 			(*strp)[size] = 0;
-			return libnfs_zdr_opaque(zdrs, *strp, size);
+			zdrs->pos += size;
+			zdrs->pos = (zdrs->pos + 3) & ~3;
+			return TRUE;
 		}
 
 		/* Crap. The string is not null terminated in the rx buffer.