jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays

Browse Source 
RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks.  A malicious client may submit an RPC
request with an arbitrarily large array, forcing the server to expend
large amounts of network bandwidth, cpu cycles, and heap memory to
unmarshal the input.

Instead, issue an error message and stop rxgen when it detects an RPC
defined with an unbounded input array.  Thus we will detect the problem
at build time and prevent any future unbounded input arrays.

Change-Id: Ib110f817ed1c8132ea2549025876a5200c728fab
This commit is contained in:
Mark Vitale 2018-07-06 03:14:19 -04:00 committed by Benjamin Kaduk
parent 8b92d015cc
commit a4c1d5c48d
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/rxgen/rpc_parse.c
View File

@ -411,6 +411,9 @@ get_declaration(declaration * dec, defkind dkind)
}
dec->rel = REL_ARRAY;
if (peekscan(TOK_RANGLE, &tok)) {
if ((dkind == DEF_INPARAM) || (dkind == DEF_INOUTPARAM)) {
error("input arrays must specify a max size");
}
dec->array_max = "~0u"; /* unspecified size, use max */
} else {
scan_num(&tok);
@ -953,7 +956,7 @@ hdle_param_tok(definition * defp, declaration * dec, token * tokp,
Proc_list->component_kind = DEF_PARAM;
Proc_list->code = alloc(250);
Proc_list->scode = alloc(250);
get_declaration(dec, DEF_PARAM);
get_declaration(dec, par_kind);
Proc_list->pl.param_name = dec->name;
get1_param_type(defp, dec, &Proc_list->pl.param_type);
print_param(dec);