Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

msg/msg_types: fix the entity_addr_t's decoder #17699

Merged
merged 1 commit into from Sep 15, 2017
Merged

msg/msg_types: fix the entity_addr_t's decoder #17699

merged 1 commit into from Sep 15, 2017

Conversation

tchaikov
Copy link
Contributor

the daemon is vulnerable to malicious client, which is able to send
large elen, and corrupt the stack, etc.

Signed-off-by: Kefu Chai kchai@redhat.com

liewegas
liewegas reviewed Sep 13, 2017
View reviewed changes
src/msg/msg_types.h Outdated
@@ -456,7 +456,8 @@ struct entity_addr_t {
__u32 elen;
::decode(elen, bl);
if (elen) {
bl.copy(elen, (char*)get_sockaddr());
bl.copy(std::min((size_t)elen, get_sockaddr_len()),
(char*)get_sockaddr());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it make more sense to throw buffer::error if elen > get_sockaddr_len()? That seems better than partially decoding the (bogus) input.

Copy link
Contributor Author

@tchaikov tchaikov Sep 13, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liewegas makes sense, i will check all the caller sites , and add the error handling code if necessary.

@tchaikov
Copy link
Contributor Author

introduced by 6a7fe5a

@tchaikov tchaikov added the DNM label Sep 13, 2017
@tchaikov tchaikov self-assigned this Sep 13, 2017
@tchaikov tchaikov removed the DNM label Sep 13, 2017
@tchaikov
Copy link
Contributor Author

@liewegas fixed and repushed.

@tchaikov
msg/msg_types: fix the entity_addr_t's decoder
aa83c2c 
the daemon is vulnerable to malicious client, which is able to send
large elen, and corrupt the stack, etc.

* throw at seeing corrupted entity_addr_t where its elen exceeds
  the length of sockaddr
* handle the exception thrown when decoding entity_addr_t in messenger
  layer.
* if a malicious client manages to send a corrutped entity_addr_t to
  daemon, daemon will crash because decode fails and the exception is
  not handled. it's better than continuing working with the bogus
  message.

Signed-off-by: Kefu Chai <kchai@redhat.com>
@tchaikov
Copy link
Contributor Author

@tchaikov tchaikov merged commit 5a16a5d into ceph:master Sep 15, 2017
@tchaikov tchaikov deleted the wip-lookout-for-large-elen branch September 15, 2017 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liewegas liewegas liewegas approved these changes

@gregsfortytwo gregsfortytwo Awaiting requested review from gregsfortytwo

Assignees

@tchaikov tchaikov

Labels
bug-fix common needs-qa wip-kefu-testing
Projects
None yet
Milestone
No milestone
2 participants
@tchaikov @liewegas