pmcd crashes when processing a crafted PDU_FETCH request because of a missing length check in __pmDecodeFetch. Code execution through this bug appears unlikely because the loop which runs past the end of the PDU only performs byte swapping (on little-endian architectures).
Nathan requested assignment, thanks Nathan.
Created attachment 599665 [details]
Resolve issues in decoding PCP fetch PDUs
Proposed fix attached. Please review, thanks.
(In reply to comment #3)
> Created attachment 599665 [details]
> Resolve issues in decoding PCP fetch PDUs
> Proposed fix attached. Please review, thanks.
if ((pduend - (char*)pp) != sizeof(fetch_t) + ((sizeof(pmID)) * (numpmid-1)))
The expression (sizeof(pmID)) * (numpmid-1) can overflow (for instance, if numpmid is 0x40000001), so the check does not catch all cases where numpmid and the actual number of elements disagree.
Created attachment 599891 [details]
Updated patch to address PCP fetch PDU decoding issues
This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: