DecodeNameReq does not check the namelen field against the PDU size. This can lead to a crash. DecodeNameReq is exposed by pmcd through PDU_PMNS_CHILD and PDU_PMNS_TRAVERSE processing. No authentication is required.
Nathan requested assignment, thanks Nathan.
Created attachment 600700 [details] Resolve issues in decoding PCP namereq PDUs
namelen+1 >= INT_MAX is always false. But the comparison appears to be unnecessary in this case.
Created attachment 600961 [details] Updated patch to address PCP namereq PDU decoding issues Incorporate Florian's review comments.
(In reply to comment #5) > Created attachment 600961 [details] > Updated patch to address PCP namereq PDU decoding issues > > Incorporate Florian's review comments. Looks good to me.
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=bfb3ab8c6b3d75b1a6580feee76a7d0925a3633c This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6