From a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Fri, 6 Jul 2018 03:14:19 -0400 Subject: [PATCH] OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays RPCs with unbounded arrays as inputs are susceptible to remote denial-of-service (DOS) attacks. A malicious client may submit an RPC request with an arbitrarily large array, forcing the server to expend large amounts of network bandwidth, cpu cycles, and heap memory to unmarshal the input. Instead, issue an error message and stop rxgen when it detects an RPC defined with an unbounded input array. Thus we will detect the problem at build time and prevent any future unbounded input arrays. Change-Id: Ib110f817ed1c8132ea2549025876a5200c728fab --- src/rxgen/rpc_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/rxgen/rpc_parse.c b/src/rxgen/rpc_parse.c index ab26c954a4..f5d7c70338 100644 --- a/src/rxgen/rpc_parse.c +++ b/src/rxgen/rpc_parse.c @@ -411,6 +411,9 @@ get_declaration(declaration * dec, defkind dkind) } dec->rel = REL_ARRAY; if (peekscan(TOK_RANGLE, &tok)) { + if ((dkind == DEF_INPARAM) || (dkind == DEF_INOUTPARAM)) { + error("input arrays must specify a max size"); + } dec->array_max = "~0u"; /* unspecified size, use max */ } else { scan_num(&tok); @@ -953,7 +956,7 @@ hdle_param_tok(definition * defp, declaration * dec, token * tokp, Proc_list->component_kind = DEF_PARAM; Proc_list->code = alloc(250); Proc_list->scode = alloc(250); - get_declaration(dec, DEF_PARAM); + get_declaration(dec, par_kind); Proc_list->pl.param_name = dec->name; get1_param_type(defp, dec, &Proc_list->pl.param_type); print_param(dec);