[OpenAFS-announce] OpenAFS Security Advisory 2013-0002
Simon Wilkinson
openafs-info@openafs.org
Mon, 4 Mar 2013 14:49:04 +0000
--Apple-Mail=_AA72919D-8615-4244-A39F-14BDF0DA9262
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
Topic: Buffer overflow in OpenAFS ptserver (CVE-2013-1795)
Issued: 4 March 2013
Last Updated: 4 March 2013
Affected: OpenAFS servers before version 1.6.2
An attacker can crash an OpenAFS ptserver by sending an IdToName RPC with
a large payload.
SUMMARY
=======
The ptserver accepts a list of unbounded size from the IdToName RPC. The
length of this list is then used to determine the size of a number of other
internal datastructures. If the length is sufficiently large then we may
hit an integer overflow when calculating the size to pass to malloc, and
allocate data structures of insufficient length, allowing heap memory to
be overwritten.
IMPACT
======
An unauthenticated attacker can crash an OpenAFS ptserver
AFFECTED SOFTWARE
=================
All releases of OpenAFS prior to 1.6.2
FIXES
=====
The OpenAFS project recommends that administrators upgrade to OpenAFS
1.6.2 or later.
For those sites unable, or unwilling, to upgrade patches to resolve
this issue are included below. Patches are provided for both OpenAFS
1.6.1 and OpenAFS 1.4.14.1
The latest stable OpenAFS release is always available from
http://www.openafs.org/release/latest.html
This announcement, and code patches related to it, may be found on the
OpenAFS security advisory page at
http://www.openafs.org/security/
ACKNOWLEDGEMENTS
================
This issue was identified, and the fix provided, by Nickolai Zeldovich
--Apple-Mail=_AA72919D-8615-4244-A39F-14BDF0DA9262
Content-Disposition: attachment;
filename=openafs-sa-2013-0002-1_4_14_1.patch
Content-Type: application/octet-stream;
x-unix-mode=0644;
name="openafs-sa-2013-0002-1_4_14_1.patch"
Content-Transfer-Encoding: 7bit
diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index c56d670..239752a 100644
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -691,7 +691,7 @@ idToName(call, aid, aname)
size = aid->idlist_len;
if (size == 0)
return 0;
- if (size < 0)
+ if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
return PRTOOMANY;
aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
aname->namelist_len = 0;
--Apple-Mail=_AA72919D-8615-4244-A39F-14BDF0DA9262
Content-Disposition: attachment;
filename=openafs-sa-2013-0002.patch
Content-Type: application/octet-stream;
x-unix-mode=0644;
name="openafs-sa-2013-0002.patch"
Content-Transfer-Encoding: 7bit
diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index ee56bcf..ae1a562 100644
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -679,7 +679,7 @@ idToName(struct rx_call *call, idlist *aid, namelist *aname)
size = aid->idlist_len;
if (size == 0)
return 0;
- if (size < 0)
+ if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
return PRTOOMANY;
aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
aname->namelist_len = 0;
--Apple-Mail=_AA72919D-8615-4244-A39F-14BDF0DA9262--