[torquedev] patch: bounds checking on PBatchReqType[] accesses
Garrick Staples
garrick at clusterresources.com
Tue Feb 13 22:48:21 MST 2007
On Tue, Feb 13, 2007 at 12:17:53PM +0100, Sergio Gelato alleged:
> pbs_server references the array PBatchReqType[] when generating error
> messages about requests received from the network.
>
> Unfortunately, it doesn't check that the request type lies within the
> array bounds. A malicious client could therefore easily cause an
> almost arbitrary portion of the pbs_server address space to be
> copied to log_buffer, possibly overflowing it (and/or causing a
> segmentation fault).
I'm looking at the bottom of dis_request_read() in
src/server/dis_read.c, where it punts unknown request types. It logs an
error message with a translation of the request number into the string.
This seems like precisely the place where we don't want a translation,
because if the type is unknown, then we won't have a string for it.
I am applying your patch with the following changes:
move reqtype_to_txt() declr to libpbs.h, so it doesn't show up in the
public API,
and remove the translations from the unknown req error.
More information about the torquedev
mailing list