[torquedev] patch: bounds checking on PBatchReqType[] accesses

Garrick Staples garrick at clusterresources.com
Tue Feb 13 22:48:21 MST 2007


On Tue, Feb 13, 2007 at 12:17:53PM +0100, Sergio Gelato alleged:
> pbs_server references the array PBatchReqType[] when generating error
> messages about requests received from the network.
> 
> Unfortunately, it doesn't check that the request type lies within the 
> array bounds. A malicious client could therefore easily cause an
> almost arbitrary portion of the pbs_server address space to be 
> copied to log_buffer, possibly overflowing it (and/or causing a
> segmentation fault). 

I'm looking at the bottom of dis_request_read() in
src/server/dis_read.c, where it punts unknown request types.  It logs an
error message with a translation of the request number into the string.
This seems like precisely the place where we don't want a translation,
because if the type is unknown, then we won't have a string for it.

I am applying your patch with the following changes:
  move reqtype_to_txt() declr to libpbs.h, so it doesn't show up in the
public API, 
  and remove the translations from the unknown req error.



More information about the torquedev mailing list