Bug 841298

Summary: pmcd leaks memory in DoFetch error path
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Ken McDonell <kenj>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: pcp-3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 00:03:43 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 840765, 841704    
Description Flags
proposed patch for dofetch.c none

Description Florian Weimer 2012-07-18 11:21:46 EDT
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic:

    sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList);
    /* Check that a profile has been received from the specified context */
    if (ctxnum < 0 || ctxnum >= cip->szProfile ||
	cip->profile[ctxnum] == NULL) {
	__pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum);

__pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned.  This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.
Comment 2 Mark Goodwin 2012-07-19 20:07:40 EDT
Ken requested assignment, thanks Ken!
Comment 3 Ken McDonell 2012-07-20 07:32:57 EDT
Created attachment 599366 [details]
proposed patch for dofetch.c

This one is done I believe.
Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 00:09:31 EDT
Upstream patch:


This issue has been addressed in pcp-3.6.5