From 87f199c14199afa29f75bb336383564f0fb4548a Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Thu, 5 Jul 2018 23:51:37 -0400 Subject: [PATCH] OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText BUDB_SaveText is defined with an input parameter that is defined to XDR as an unbounded array of chars: typedef char charListT<>; RPCs with unbounded arrays as inputs are susceptible to remote denial-of-service (DOS) attacks. A malicious client may submit a BUDB_SaveText request with an arbitrarily large array, forcing the budb server to expend large amounts of network bandwidth, cpu cycles, and heap memory to unmarshal the input. Modify the XDR definition of charListT so it is bounded. This typedef is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but fortunately all in-tree callers of the client routines specify the same maximum length of 1024. Note: However, SBUDB_SaveText server implementation seems to allow for up to BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader) (8), and it's unknown if any out-of-tree callers exist. Since we do not need a tight bound in order to avoid the DoS, use a somewhat higher maximum of 4096 bytes to leave a safety margin. [kaduk@mit.edu: bump the margin to 4096; adjust commit message to match] (cherry picked from commit 124445c0c47994f5e2efef30e86337c3c8ebc93f) Change-Id: Ic34f8f9e7484b7503a223509d5d61b72e1298b35 --- src/budb/budb.rg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/budb/budb.rg b/src/budb/budb.rg index 1ec45f1cac..6e61652ff2 100644 --- a/src/budb/budb.rg +++ b/src/budb/budb.rg @@ -224,7 +224,7 @@ typedef struct budb_volumeEntry budb_volumeList; typedef struct budb_dumpEntry budb_dumpList; typedef struct budb_tapeEntry budb_tapeList; typedef afs_int32 budb_dumpsList; -typedef char charListT<>; +typedef char charListT<4096>; %#define BUDB_TEXT_COMPLETE 1