[torquedev] patch: bounds checking on PBatchReqType[] accesses

Garrick Staples garrick at clusterresources.com
Tue Feb 13 23:54:07 MST 2007

On Tue, Feb 13, 2007 at 10:48:21PM -0700, Garrick Staples alleged:
> On Tue, Feb 13, 2007 at 12:17:53PM +0100, Sergio Gelato alleged:
> > pbs_server references the array PBatchReqType[] when generating error
> > messages about requests received from the network.
> > 
> > Unfortunately, it doesn't check that the request type lies within the 
> > array bounds. A malicious client could therefore easily cause an
> > almost arbitrary portion of the pbs_server address space to be 
> > copied to log_buffer, possibly overflowing it (and/or causing a
> > segmentation fault). 
> I'm looking at the bottom of dis_request_read() in
> src/server/dis_read.c, where it punts unknown request types.  It logs an
> error message with a translation of the request number into the string.
> This seems like precisely the place where we don't want a translation,
> because if the type is unknown, then we won't have a string for it.
> I am applying your patch with the following changes:
>   move reqtype_to_txt() declr to libpbs.h, so it doesn't show up in the
> public API, 
>   and remove the translations from the unknown req error.

trunk has your patch with the changes I mentioned.

2.1-fixes has a smaller patch that checks rq_type.

Can you and Glen please verify that everything looks OK?

More information about the torquedev mailing list