git.openafs.org Git - openafs.git/commit

author	Mark Vitale <mvitale@sinenomine.net>
	Fri, 6 Jul 2018 03:51:37 +0000 (23:51 -0400)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Sun, 9 Sep 2018 22:35:01 +0000 (17:35 -0500)
commit	124445c0c47994f5e2efef30e86337c3c8ebc93f
tree	e9f433ef31f049e1ce88a605f72c2d3f58e6c92d	tree \| snapshot
parent	7629209219bbea3f127b33be06ac427ebc3a559e	commit \| diff

OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText

BUDB_SaveText is defined with an input parameter that is defined to XDR
as an unbounded array of chars:
   typedef char charListT<>;

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks.  A malicious client may submit a
BUDB_SaveText request with an arbitrarily large array, forcing the budb
server to expend large amounts of network bandwidth, cpu cycles, and
heap memory to unmarshal the input.

Modify the XDR definition of charListT so it is bounded.  This typedef
is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
fortunately all in-tree callers of the client routines specify the same
maximum length of 1024.

Note: However, SBUDB_SaveText server implementation seems to allow for up to
BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
(8), and it's unknown if any out-of-tree callers exist.  Since we do not need a
tight bound in order to avoid the DoS, use a somewhat higher maximum of
4096 bytes to leave a safety margin.

[kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]

Change-Id: Ic3fe2758a9c97ed02c6e6d05f0de0865959b5b04