[torquedev] patch: bounds checking on PBatchReqType[] accesses
Garrick Staples
garrick at clusterresources.com
Tue Feb 13 23:54:07 MST 2007
On Tue, Feb 13, 2007 at 10:48:21PM -0700, Garrick Staples alleged:
> On Tue, Feb 13, 2007 at 12:17:53PM +0100, Sergio Gelato alleged:
> > pbs_server references the array PBatchReqType[] when generating error
> > messages about requests received from the network.
> >
> > Unfortunately, it doesn't check that the request type lies within the
> > array bounds. A malicious client could therefore easily cause an
> > almost arbitrary portion of the pbs_server address space to be
> > copied to log_buffer, possibly overflowing it (and/or causing a
> > segmentation fault).
>
> I'm looking at the bottom of dis_request_read() in
> src/server/dis_read.c, where it punts unknown request types. It logs an
> error message with a translation of the request number into the string.
> This seems like precisely the place where we don't want a translation,
> because if the type is unknown, then we won't have a string for it.
>
> I am applying your patch with the following changes:
> move reqtype_to_txt() declr to libpbs.h, so it doesn't show up in the
> public API,
> and remove the translations from the unknown req error.
trunk has your patch with the changes I mentioned.
2.1-fixes has a smaller patch that checks rq_type.
Can you and Glen please verify that everything looks OK?
More information about the torquedev
mailing list