[OpenAFS-devel] Attacks against AFS lead to crashing machines
Srikanth Vishwanathan
vsrikanth@in.ibm.com
Sat, 8 Jun 2002 00:40:26 -0400
I think I know atleast one reason for the client crashes.
The functions in src/afs/afs_callback.c call rxi_Alloc()
for memory allocation instead of afs_osi_Alloc(). The problem
is that rxi_Alloc may call osi_Alloc (afs_osi_Alloc()) or
osi_AllocMediumSpace() or osi_AllocSmall() depending on the
system type and/or the amount of memory needed.
But the XDR layer always uses afs_osi_Free to free memory.
Disaster is guaranteed if we allocate memory using functions
osi_AllocMediumSpace() or osi_AllocSmall() but free it using
afs_osi_Free(). These functions allocate large chunks of
memory and return small chunks as needed.
We have not been able to reproduce this problem on Linux.
This is because on Linux, rxi_Alloc always calls osi_Alloc
(afs_osi_Alloc), which makes it OK.
Changing all rxi_Allocs in afs_callback.c to afs_osi_Alloc
should help.