Bug 841319 - In-band signalling in __pmGetPDU leads to pmcd memory leak
Summary: In-band signalling in __pmGetPDU leads to pmcd memory leak
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ken McDonell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 840765 CVE-2012-3420
TreeView+ depends on / blocked
 
Reported: 2012-07-18 16:41 UTC by Florian Weimer
Modified: 2012-08-20 04:03 UTC (History)
4 users (show)

Fixed In Version: pcp-3.6.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-20 04:03:38 UTC
Type: Bug


Attachments (Terms of Use)
proposed patch for pdu.c (666 bytes, patch)
2012-07-20 06:36 UTC, Ken McDonell
no flags Details | Diff

Description Florian Weimer 2012-07-18 16:41:03 UTC
The return value of __pmGetPDU is both an error code and the value of the type field of the PDU.  A negative type value is treated as an error by HandleClientInput, and the PDU is never unpinned, even though it was pinned by __pmGetPDU because there was no error.  This leads to a memory leak and eventual pmcd crash.

I think one possible fix would be to reject negative type values in __pmGetPDU.

Comment 2 Mark Goodwin 2012-07-19 02:25:02 UTC
[this is a test] Ken tried to comment on this BZ but got an error

Comment 3 Ken McDonell 2012-07-19 04:35:43 UTC
I'll work on this one.  Florian's suggested fix seems correct and robust.

Comment 4 Ken McDonell 2012-07-19 08:58:00 UTC
Fix is in commit 49b9bd1e5d1df6f7115fec79bd09e2dc99df7fd9.
QA 511 added to verify bug and fix.

Comment 5 Ken McDonell 2012-07-20 06:36:40 UTC
Created attachment 599314 [details]
proposed patch for pdu.c

This is Florian's fix.  I've backed out the commit in my git tree as per the agreed process for handling these issues.

Comment 6 Huzaifa S. Sidhpurwala 2012-08-16 04:10:18 UTC
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=68fb968b4ee635bb301dc9ab64e633b0d66d27b4

This issue has been addressed in pcp-3.6.5


Note You need to log in before you can comment on or make changes to this bug.