git.openafs.org Git - openafs.git/commit

author	Andrew Deason <adeason@sinenomine.net>
	Thu, 13 Jun 2024 20:30:50 +0000 (15:30 -0500)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 12 Nov 2024 18:06:01 +0000 (13:06 -0500)
commit	c18640c6b98b10cd6f78c63195ff822689cb5348
tree	ef1c0ff8a03d70d5faf91a2cd196ca9824ac2deb	tree \| snapshot
parent	40440c3eb628ff1772588bdc99d7496292097bbd	commit \| diff

OPENAFS-SA-2024-003: xdr: Set _len for prealloc'd opaque/array OUT args

CVE-2024-10397

Currently, a few RPCs with arrays or opaque OUT arguments are called
with preallocated memory for the arg, but also provide a _len of 0 (or
an uninitialized _len). This makes it impossible for the xdr routine to
tell whether we have allocated enough space to actually hold the
response from the server.

To help this situation, either specify an appropriate _len for the
preallocated value (cm_IoctlGetACL, fsprobe_LWP), or don't provide a
preallocated buffer at all and let xdr allocate a buffer for us
(PGetAcl).

Note that this commit doesn't change xdr to actually check the value of
the given _len; but now a future commit can do so without breaking
callers.

FIXES 135043

Reviewed-on: https://gerrit.openafs.org/15919
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit b2b1110ddd9e19670dbc6a3217dc2a74af432f82)

Change-Id: Ibdee49b79da1476c4e606bcad5fb3d08eb259ad7
Reviewed-on: https://gerrit.openafs.org/15941
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>

src/WINNT/afsd/cm_ioctl.c		diff \| blob \| history
src/afs/afs_pioctl.c		diff \| blob \| history
src/fsprobe/fsprobe.c		diff \| blob \| history