OpenAFS Master Repository branch, master, updated. BP-openafs-stable-1_8_x-220-gd5816fd

Gerrit Code Review gerrit@openafs.org
Tue, 11 Sep 2018 15:01:03 -0400


The following commit has been merged in the master branch:
commit 124445c0c47994f5e2efef30e86337c3c8ebc93f
Author: Mark Vitale <mvitale@sinenomine.net>
Date:   Thu Jul 5 23:51:37 2018 -0400

    OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText
    
    BUDB_SaveText is defined with an input parameter that is defined to XDR
    as an unbounded array of chars:
       typedef char charListT<>;
    
    RPCs with unbounded arrays as inputs are susceptible to remote
    denial-of-service (DOS) attacks.  A malicious client may submit a
    BUDB_SaveText request with an arbitrarily large array, forcing the budb
    server to expend large amounts of network bandwidth, cpu cycles, and
    heap memory to unmarshal the input.
    
    Modify the XDR definition of charListT so it is bounded.  This typedef
    is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
    fortunately all in-tree callers of the client routines specify the same
    maximum length of 1024.
    
    Note: However, SBUDB_SaveText server implementation seems to allow for up to
    BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
    (8), and it's unknown if any out-of-tree callers exist.  Since we do not need a
    tight bound in order to avoid the DoS, use a somewhat higher maximum of
    4096 bytes to leave a safety margin.
    
    [kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]
    
    Change-Id: Ic3fe2758a9c97ed02c6e6d05f0de0865959b5b04

 src/budb/budb.rg |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

-- 
OpenAFS Master Repository