jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

OPENAFS-SA-2024-003: Run xdr_free for retried RPCs

Browse Source 
CVE-2024-10397

A few areas of code retry the same RPC, like so:

    do {
        code = VL_SomeRPC(rxconn, &array_out);
    } while (some_condition);
    xdr_free((xdrproc_t) xdr_foo, &array_out);

Or try a different version/variant of an RPC (e.g.
VLDB_ListAttributesN2 -> VLDB_ListAttributes).

If the first RPC call causes the output array to be allocated with
length N, then the subsequent RPC calls may fail if the server
responds with an array larger than N.

Furthermore, if the subsequent call responds with an array smaller
than N, then when we xdr_free the array, our length will be smaller
than the actual number of allocated elements. That results in two
potential issues:

- We'll fail to free the elements at the end of the array. This is
  only a problem if each element in the array also uses
  dynamically-allocated memory (e.g. each element contains a string or
  another array). Fortunately, there are only a few such structures in
  any of our RPC-L definitions: SysNameList and CredInfos. And neither
  of those are used in such a retry loop, so this isn't a problem.

- We'll give the wrong length to osi_free when freeing the array
  itself. This only matters for KERNEL, and only on some platforms
  (such as Solaris), since the length given to osi_free is ignored
  everywhere else.

To avoid these possible issues, change the relevant retry loops to
free our xdr-allocated arrays on every iteration of the loop, like
this:

    do {
        xdr_free((xdrproc_t) xdr_foo, &array_out);
        code = VL_SomeRPC(rxconn, &array_out);
    } while (some_condition);
    xdr_free((xdrproc_t) xdr_foo, &array_out);

Or like this:

    do {
        code = VL_SomeRPC(rxconn, &array_out);
        xdr_free((xdrproc_t) xdr_foo, &array_out);
    } while (some_condition);

FIXES 135043

Reviewed-on: https://gerrit.openafs.org/15923
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 1f5e1ef9e3)

Change-Id: I77ce3a904d502784cbf356e113972dfab838256e
Reviewed-on: https://gerrit.openafs.org/15945
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
This commit is contained in:
Andrew Deason 2020-10-16 10:52:03 -05:00 committed by Benjamin Kaduk
parent a82212ab20
commit 25ad3931d5
6 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/WINNT/afsd/cm_getaddrs.c
View File

@ -234,6 +234,7 @@ cm_GetAddrsU(cm_cell_t *cellp, cm_user_t *userp, cm_req_t *reqp,
code = cm_ConnByMServers(cellp->vlServersp, 0, userp, reqp, &connp);
if (code)
continue;
xdr_free((xdrproc_t) xdr_bulkaddrs, &addrs);
rxconnp = cm_GetRxConn(connp);
code = VL_GetAddrsU(rxconnp, &attrs, &uuid, &unique, &nentries,
&addrs);

1
src/afs/afs_pioctl.c
View File

@ -1596,6 +1596,7 @@ DECL_PIOCTL(PGetAcl)
if (tconn) {
XSTATS_START_TIME(AFS_STATS_FS_RPCIDX_FETCHACL);
RX_AFS_GUNLOCK();
xdr_free((xdrproc_t) xdr_AFSOpaque, &acl);
code = RXAFS_FetchACL(rxconn, &Fid, &acl, &OutStatus, &tsync);
RX_AFS_GLOCK();
XSTATS_END_TIME;

1
src/afs/afs_volume.c
View File

@ -1205,6 +1205,7 @@ LockAndInstallUVolumeEntry(struct volume *av, struct uvldbentry *ve, int acell,
0, &rxconn);
if (tconn) {
RX_AFS_GUNLOCK();
xdr_free((xdrproc_t) xdr_bulkaddrs, &addrs);
code =
VL_GetAddrsU(rxconn, &attrs, &uuid, &unique,
&nentries, &addrs);

1
src/ptserver/pts.c
View File

@ -681,6 +681,7 @@ CheckEntry(struct cmd_syndesc *as, void *arock)
lids.idlist_val[0] = aentry.owner;
lids.idlist_val[1] = aentry.creator;
xdr_free((xdrproc_t) xdr_namelist, &lnames);
code = pr_IdToName(&lids, &lnames);
if (code) {
rcode = code;

1
src/ptserver/testpt.c
View File

@ -112,6 +112,7 @@ ListUsedIds(struct cmd_syndesc *as, void *arock)
startId++;
}
lids.idlist_len = i;
xdr_free((xdrproc_t) xdr_namelist, &lnames);
code = pr_IdToName(&lids, &lnames);
if (code) {
afs_com_err(whoami, code, "converting id to name");

1
src/volser/vos.c
View File

@ -4520,6 +4520,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock)
&arrayEntries, &nextindex);
if (vcode == RXGEN_OPCODE) {
/* Vlserver not running with ListAttributesN2. Fall back */
xdr_free((xdrproc_t) xdr_nbulkentries, &arrayEntries);
vcode =
VLDB_ListAttributes(&attributes, &centries, &arrayEntries);
nextindex = -1;