Red Hat Bugzilla – Bug 841290
pcp: __pmDecodeLogControl vulnerabilities
Last modified: 2012-08-20 00:00:49 EDT
Moving text form Environment field to proper comment:
__pmDecodeLogControl does not check the c_numpmid and v_numval fields against the size of the PDU. Due to the way the sizes passed to malloc are calculated, heap objects could be allocated which are too small, leading to a heap-based buffer overflow.
This seems to be exposed through pmlogger, but not through pmcd.
Created attachment 600705 [details]
Resolve issues in decoding PCP logcontrol PDUs
(In reply to comment #2)
> Created attachment 600705 [details]
> Resolve issues in decoding PCP logcontrol PDUs
I think this is fine, thanks. You can remove
if (nv >= (INT_MAX - sizeof(vlist_t) - sizeof(__pmValue_PDU)) / sizeof(__pmValue_PDU))
from the nv == 0 branch.
Created attachment 600969 [details]
Updated patch to address PCP logcontrol PDU decoding issues
Incorporate Florian's review comments.
(In reply to comment #4)
> Created attachment 600969 [details]
> Updated patch to address PCP logcontrol PDU decoding issues
> Incorporate Florian's review comments.
Still looks okay.
This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: