Red Hat Bugzilla – Bug 841180
DecodeNameReq buffer overflow
Last modified: 2012-08-19 23:53:54 EDT
DecodeNameReq does not check the namelen field against the PDU size. This can lead to a crash. DecodeNameReq is exposed by pmcd through PDU_PMNS_CHILD and PDU_PMNS_TRAVERSE processing. No authentication is required.
Nathan requested assignment, thanks Nathan.
Created attachment 600700 [details]
Resolve issues in decoding PCP namereq PDUs
namelen+1 >= INT_MAX is always false. But the comparison appears to be unnecessary in this case.
Created attachment 600961 [details]
Updated patch to address PCP namereq PDU decoding issues
Incorporate Florian's review comments.
(In reply to comment #5)
> Created attachment 600961 [details]
> Updated patch to address PCP namereq PDU decoding issues
> Incorporate Florian's review comments.
Looks good to me.
This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: