OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple

AFSVolForwardMultiple is defined with an input parameter that is defined
to XDR as an unbounded array of replica structs:
  typedef replica manyDests<>;

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks.  A malicious client may submit an
AFSVolForwardMultiple request with an arbitrarily large array, forcing
the volserver to expend large amounts of network bandwidth, cpu cycles,
and heap memory to unmarshal the input.

Even though AFSVolForwardMultiple requires superuser authorization, this
attack is exploitable by non-authorized actors because XDR unmarshalling
happens long before any authorization checks can occur.

Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array.
This constant is derived from the current OpenAFS vldb implementation, which
is limited to 13 replica sites for a given volume by the layout (size) of the
serverNumber, serverPartition, and serverFlags fields.

[kaduk@mit.edu: explain why this constant is used]

(cherry picked from commit 97b0ee4d9c9d069e78af2e046c7987aa4d3f9844)

(cherry picked from commit fac3749f0d180e0ca229326c0e8568a60e17d3e9)

Change-Id: I57a0aa15b5a92a111f835b7a58f7495376e3e63b

diff --git a/src/volser/volint.xg b/src/volser/volint.xg
index 4d20f0a..0fdb9ed 100644 (file)
--- a/src/volser/volint.xg
+++ b/src/volser/volint.xg
@@ -65,6 +65,7 @@ statindex 16
 %#define     VOLDUMPV2_OMITDIRS 1
 
 const SIZE = 1024;
+const NMAXNSERVERS = 13;
 
 struct volser_status {
        afs_uint32 volID;               /* Volume id--unique over all systems */
@@ -246,7 +247,7 @@ struct volintSize {
     afs_uint64 dump_size;
 };
 
-typedef  replica manyDests<>;
+typedef  replica manyDests<NMAXNSERVERS>;
 typedef  afs_int32 manyResults<>;
 typedef  transDebugInfo transDebugEntries<>;
 typedef  volintInfo volEntries<>;