openafs

mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00

Go to file

Andrew Deason 40440c3eb6 OPENAFS-SA-2024-003: xdr: Avoid prealloc'd string OUT args CVE-2024-10397 Currently, several callers call RPCs with string OUT arguments, and provide preallocated memory for those arguments. This can easily allow a response from the server to overrun the allocated buffer, stomping over stack or heap memory. We could simply make our preallocated buffers larger than the maximum size that the RPC allows, but relying on that is error prone, and there's no way for XDR to check if a string buffer is large enough. Instead, to make sure we don't overrun a given preallocated buffer, avoid giving a preallocated buffer to such RPCs, and let XDR allocate the memory for us. Specifically, this commit changes several callers to RXAFS_GetVolumeStatus(), and one caller of BOZO_GetInstanceParm(), to avoid passing in a preallocated string buffer. All other callers of RPCs with string OUT args already let XDR allocate the buffers for them. FIXES 135043 Reviewed-on: https://gerrit.openafs.org/15918 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu> (cherry picked from commit `00a1b266af`) Change-Id: Ib174d008eaf1fd10d42702bcdb607e45b26acf58 Reviewed-on: https://gerrit.openafs.org/15940 Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: Benjamin Kaduk <kaduk@mit.edu>		2024-11-12 13:05:58 -05:00
build-tools	build: package ltmain.sh in the libafs_tree	2023-10-05 08:39:33 -04:00
doc	Add command fallback to server config	2023-08-17 13:13:55 -04:00
src	OPENAFS-SA-2024-003: xdr: Avoid prealloc'd string OUT args	2024-11-12 13:05:58 -05:00
tests	tests: rx/perf wait for server init before client	2024-05-19 18:03:48 -04:00
.gitignore	Remove alpha_dux/alpha_osf references	2023-01-20 09:22:36 -05:00
.gitreview	Add .gitreview	2018-02-09 21:48:12 -05:00
.mailmap	git: add a mailmap file	2016-09-25 21:05:23 -04:00
.splintrc
acinclude.m4	dir: Introduce struct DirEntryFlex	2024-01-06 14:53:33 -05:00
CODING	gcc: Avoid false positive use-after-free in crypto	2023-08-17 13:08:32 -04:00
configure-libafs.ac	Make OpenAFS 1.8.12.2	2024-10-03 18:32:45 -04:00
configure.ac	Make OpenAFS 1.8.12.2	2024-10-03 18:32:45 -04:00
CONTRIBUTING	openafs: add a contributor code of conduct	2015-09-18 20:38:28 -04:00
INSTALL	configure: Add platform rs_aix73	2023-04-13 16:58:38 -04:00
libafsdep	Move build support files into build-tools	2010-07-14 20:40:36 -07:00
LICENSE	Use autoconf-archive m4 from src/external	2022-08-04 12:26:41 -04:00
Makefile-libafs.in	Fix libafs_tree's cross-architecture support	2010-05-24 20:28:41 -07:00
Makefile.in	build: Add rpm target	2023-08-17 13:23:40 -04:00
NEWS	Update NEWS for OpenAFS 1.8.12.2	2024-10-03 18:31:59 -04:00
NTMakefile	WINNT: Build bubasics before audit	2020-01-25 15:53:31 -05:00
README	Tweak grammar in README	2015-12-28 19:32:17 -05:00
README-WINDOWS	Update windows build documentation	2013-07-02 15:14:09 -07:00
regen.sh	Use autoconf-archive m4 from src/external	2022-08-04 12:26:41 -04:00

README

AFS is a distributed file system that enables users to share and
access all of the files stored in a network of computers as easily as
they access the files stored on their local machines. The file system is
called distributed for this exact reason: files can reside on many
different machines, but are available to users on every machine.

OpenAFS 1.0 was originally released by IBM under the terms of the
IBM Public License 1.0 (IPL10).  For details on IPL10 see the LICENSE
file in this directory.  The current OpenAFS distribution is licensed
under a combination of the IPL10 and many other licenses as granted by
the relevant copyright holders.  The LICENSE file in this directory
contains more details, thought it is not a comprehensive statement.

See INSTALL for information about building and installing OpenAFS
on various platforms.

See CODING for developer information and guidelines.

See NEWS for recent changes to OpenAFS.