This code path in DoFetch in src/pmcd/src/dofetch.c is problematic: sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList); ... /* Check that a profile has been received from the specified context */ if (ctxnum < 0 || ctxnum >= cip->szProfile || cip->profile[ctxnum] == NULL) { __pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum); return PM_ERR_NOPROFILE; } __pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned. This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.
Ken requested assignment, thanks Ken!
Created attachment 599366 [details] proposed patch for dofetch.c This one is done I believe.
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=a7dc844d3586ea79887655a97c4252a79751fdae This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6