Bug 841298 - pmcd leaks memory in DoFetch error path
Summary: pmcd leaks memory in DoFetch error path
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ken McDonell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 840765 CVE-2012-3420
TreeView+ depends on / blocked
 
Reported: 2012-07-18 15:21 UTC by Florian Weimer
Modified: 2012-08-20 04:03 UTC (History)
4 users (show)

Fixed In Version: pcp-3.6.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-20 04:03:43 UTC
Type: Bug


Attachments (Terms of Use)
proposed patch for dofetch.c (700 bytes, patch)
2012-07-20 11:32 UTC, Ken McDonell
no flags Details | Diff

Description Florian Weimer 2012-07-18 15:21:46 UTC
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic:

    sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList);
    ...
    /* Check that a profile has been received from the specified context */
    if (ctxnum < 0 || ctxnum >= cip->szProfile ||
	cip->profile[ctxnum] == NULL) {
	__pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum);
	return PM_ERR_NOPROFILE;
    }

__pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned.  This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.

Comment 2 Mark Goodwin 2012-07-20 00:07:40 UTC
Ken requested assignment, thanks Ken!

Comment 3 Ken McDonell 2012-07-20 11:32:57 UTC
Created attachment 599366 [details]
proposed patch for dofetch.c

This one is done I believe.

Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 04:09:31 UTC
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=a7dc844d3586ea79887655a97c4252a79751fdae

This issue has been addressed in pcp-3.6.5


Note You need to log in before you can comment on or make changes to this bug.