Bug 841298 - pmcd leaks memory in DoFetch error path
Summary: pmcd leaks memory in DoFetch error path
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 16
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Ken McDonell
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 840765 CVE-2012-3420
TreeView+ depends on / blocked
Reported: 2012-07-18 15:21 UTC by Florian Weimer
Modified: 2012-08-20 04:03 UTC (History)
4 users (show)

Fixed In Version: pcp-3.6.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-08-20 04:03:43 UTC
Type: Bug

Attachments (Terms of Use)
proposed patch for dofetch.c (700 bytes, patch)
2012-07-20 11:32 UTC, Ken McDonell
no flags Details | Diff

Description Florian Weimer 2012-07-18 15:21:46 UTC
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic:

    sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList);
    /* Check that a profile has been received from the specified context */
    if (ctxnum < 0 || ctxnum >= cip->szProfile ||
	cip->profile[ctxnum] == NULL) {
	__pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum);

__pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned.  This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.

Comment 2 Mark Goodwin 2012-07-20 00:07:40 UTC
Ken requested assignment, thanks Ken!

Comment 3 Ken McDonell 2012-07-20 11:32:57 UTC
Created attachment 599366 [details]
proposed patch for dofetch.c

This one is done I believe.

Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 04:09:31 UTC
Upstream patch:


This issue has been addressed in pcp-3.6.5

Note You need to log in before you can comment on or make changes to this bug.