__pmDecodeInstance does not check the numinst and namelen values against the length of the PDU. As a result, an application which decodes crafted PDU_INSTANCE packets can crash. namelen values of 0xFFFFFFFF result in the allocation of a heap object which is too small, but this is probably not exploitable for code execution (this assessment is subject to the usual caveats)
Created attachment 600701 [details] Resolve issues in decoding PCP instance PDUs
(In reply to comment #2) > Created attachment 600701 [details] if (sizeof(instlist_t) - sizeof(sizeof(ip->name)) > (size_t)(pdu_end - (char *)ip)) { There's a duplicated sizeof. if (ip->namelen < 0 || ip->namelen >= rp->hdr.len || ip->namelen + 1 >= INT_MAX) { ip->namelen + 1 >= INT_MAX is always false. If you move the next check before the malloc, you only need the ip->namelen < 0 part. The ip->namelen >= rp->hdr.len check is implicit in the check against the remaining PDU length.
Created attachment 600962 [details] Updated patch to address PCP instance PDU decoding issues Incorporate Florian's review comments. Thanks Florian!
I think this is okay, thanks.
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=babd6c5c527f87ec838c13a1b4eba612af6ea27c This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6