Bug 841319

Summary: In-band signalling in __pmGetPDU leads to pmcd memory leak
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Ken McDonell <kenj>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 00:03:38 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 840765, 841704    
Attachments:
Description Flags
proposed patch for pdu.c none

Description Florian Weimer 2012-07-18 12:41:03 EDT
The return value of __pmGetPDU is both an error code and the value of the type field of the PDU.  A negative type value is treated as an error by HandleClientInput, and the PDU is never unpinned, even though it was pinned by __pmGetPDU because there was no error.  This leads to a memory leak and eventual pmcd crash.

I think one possible fix would be to reject negative type values in __pmGetPDU.
Comment 2 Mark Goodwin 2012-07-18 22:25:02 EDT
[this is a test] Ken tried to comment on this BZ but got an error
Comment 3 Ken McDonell 2012-07-19 00:35:43 EDT
I'll work on this one.  Florian's suggested fix seems correct and robust.
Comment 4 Ken McDonell 2012-07-19 04:58:00 EDT
Fix is in commit 49b9bd1e5d1df6f7115fec79bd09e2dc99df7fd9.
QA 511 added to verify bug and fix.
Comment 5 Ken McDonell 2012-07-20 02:36:40 EDT
Created attachment 599314 [details]
proposed patch for pdu.c

This is Florian's fix.  I've backed out the commit in my git tree as per the agreed process for handling these issues.
Comment 6 Huzaifa S. Sidhpurwala 2012-08-16 00:10:18 EDT
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=68fb968b4ee635bb301dc9ab64e633b0d66d27b4

This issue has been addressed in pcp-3.6.5