pmcd crashes when processing a crafted PDU_FETCH request because of a missing length check in __pmDecodeFetch. Code execution through this bug appears unlikely because the loop which runs past the end of the PDU only performs byte swapping (on little-endian architectures).
Nathan requested assignment, thanks Nathan.
Created attachment 599665 [details] Resolve issues in decoding PCP fetch PDUs Proposed fix attached. Please review, thanks.
(In reply to comment #3) > Created attachment 599665 [details] > Resolve issues in decoding PCP fetch PDUs > > Proposed fix attached. Please review, thanks. if ((pduend - (char*)pp) != sizeof(fetch_t) + ((sizeof(pmID)) * (numpmid-1))) The expression (sizeof(pmID)) * (numpmid-1) can overflow (for instance, if numpmid is 0x40000001), so the check does not catch all cases where numpmid and the actual number of elements disagree.
Created attachment 599891 [details] Updated patch to address PCP fetch PDU decoding issues
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=7eb479b91ef12bf89a15b078af2107c8c4746a4a This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6