From 97b0ee4d9c9d069e78af2e046c7987aa4d3f9844 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Fri, 6 Jul 2018 01:09:53 -0400 Subject: [PATCH] OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple AFSVolForwardMultiple is defined with an input parameter that is defined to XDR as an unbounded array of replica structs: typedef replica manyDests<>; RPCs with unbounded arrays as inputs are susceptible to remote denial-of-service (DOS) attacks. A malicious client may submit an AFSVolForwardMultiple request with an arbitrarily large array, forcing the volserver to expend large amounts of network bandwidth, cpu cycles, and heap memory to unmarshal the input. Even though AFSVolForwardMultiple requires superuser authorization, this attack is exploitable by non-authorized actors because XDR unmarshalling happens long before any authorization checks can occur. Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array. This constant is derived from the current OpenAFS vldb implementation, which is limited to 13 replica sites for a given volume by the layout (size) of the serverNumber, serverPartition, and serverFlags fields. [kaduk@mit.edu: explain why this constant is used] Change-Id: Id12c6a7da4894ec490691eb8791dcd3574baa416 --- src/volser/volint.xg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/volser/volint.xg b/src/volser/volint.xg index 5febc63..6d5eee1 100644 --- a/src/volser/volint.xg +++ b/src/volser/volint.xg @@ -65,6 +65,7 @@ statindex 16 %#define VOLDUMPV2_OMITDIRS 1 const SIZE = 1024; +const NMAXNSERVERS = 13; struct volser_status { afs_uint32 volID; /* Volume id--unique over all systems */ @@ -247,7 +248,7 @@ struct volintSize { afs_uint64 dump_size; }; -typedef replica manyDests<>; +typedef replica manyDests; typedef afs_int32 manyResults<>; typedef transDebugInfo transDebugEntries<>; typedef volintInfo volEntries<>; -- 1.9.4