Attachment 599108 Details for Bug 840822 – Updated patch to address pcp credentials pdu buffer overflow exploit

[patch] Updated patch to address pcp credentials pdu buffer overflow exploit

pcp_creds2.patch (text/plain), 1.45 KB, created by Nathan Scott on 2012-07-19 10:18:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Nathan Scott

Created: 2012-07-19 10:18:37 UTC

Size: 1.45 KB

patch

obsolete

>diff --git a/src/libpcp/src/p_creds.c b/src/libpcp/src/p_creds.c
>index 597edb9..893f432 100644
>--- a/src/libpcp/src/p_creds.c
>+++ b/src/libpcp/src/p_creds.c
>@@ -15,6 +15,8 @@
> #include "pmapi.h"
> #include "impl.h"
> 
>+#define LIMIT_CREDS	1024
>+
> /*
>  * PDU for process credentials (PDU_CREDS)
>  */
>@@ -27,12 +29,12 @@ typedef struct {
> int
> __pmSendCreds(int fd, int from, int credcount, const __pmCred *credlist)
> {
>-    size_t	need = 0;
>-    creds_t	*pp = NULL;
>+    size_t	need;
>+    creds_t	*pp;
>     int		i;
>     int		sts;
> 
>-    if (credcount <= 0 || credlist == NULL)
>+    if (credcount <= 0 || credcount > LIMIT_CREDS || credlist == NULL)
> 	return PM_ERR_IPC;
> 
>     need = sizeof(creds_t) + ((credcount-1) * sizeof(__pmCred));
>@@ -61,12 +63,20 @@ __pmDecodeCreds(__pmPDU *pdubuf, int *sender, int *credcount, __pmCred **credlis
> {
>     creds_t	*pp;
>     int		i;
>+    int		len;
>+    int		need;
>     int		numcred;
>     __pmCred	*list;
> 
>     pp = (creds_t *)pdubuf;
>+    len = pp->hdr.len;		/* ntohl() converted already in __pmGetPDU() */
>     numcred = ntohl(pp->numcreds);
>-    if (pp == NULL || numcred < 0) return PM_ERR_IPC;
>+    if (numcred < 0 || numcred > LIMIT_CREDS)
>+	return PM_ERR_IPC;
>+    need = sizeof(creds_t) + ((numcred-1) * sizeof(__pmCred));
>+    if (need != len)
>+	return PM_ERR_IPC;
>+
>     *sender = pp->hdr.from;	/* ntohl() converted already in __pmGetPDU() */
>     if ((list = (__pmCred *)malloc(sizeof(__pmCred) * numcred)) == NULL)
> 	return -oserror();

Actions: View | Diff

Attachments on bug 840822: 598767 | 599108