Actions
Bug #8180
closed
Invalid netbuf decoded by xdr_netbuf()
Start date:
2017-05-08
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:
Description
In a case the maxbuf field of the netbuf structure in the incoming XDR stream is different than the actual len of the data then the xdr_netbuf() function might decode the improperly sized netbuf structure. In such a case the allocated buffer size for the netbuf data won't be maxlen, but len instead. This violates the netbuf semantics where the maxlen field denotes the allocated (IOW, max) size of the buffer pointed by buf, while len is just the actual length of the used data in the buf buffer.
Fortunately, I didn't found any xdr_netbuf() consumer that might be affected by this.
Files
Updated by Marcel Telka about 6 years ago
- File test.c added
The problem is clearly visible by running the attached test.c program:
$ ./test maxlen: 65536 len: 1 Segmentation Fault (core dumped) $
Updated by Marcel Telka about 6 years ago
- Subject changed from Invalid netbuf from xdr_netbuf() to Invalid netbuf decoded by xdr_netbuf()
Updated by Marcel Telka about 6 years ago
Updated by Marcel Telka about 6 years ago
- Status changed from In Progress to Pending RTI
Updated by Electric Monk about 6 years ago
- Status changed from Pending RTI to Closed
- % Done changed from 0 to 100
git commit cfa354e4631308e491ed50bfe99d3cf93cc69bd9
commit cfa354e4631308e491ed50bfe99d3cf93cc69bd9
Author: Marcel Telka <marcel@telka.sk>
Date: 2017-05-13T21:12:32.000Z
8180 Invalid netbuf decoded by xdr_netbuf()
Reviewed by: Arne Jansen <arne@die-jansens.de>
Reviewed by: Yuri Pankov <yuri.pankov@gmail.com>
Reviewed by: Vitaliy Gusev <gusev.vitaliy@icloud.com>
Approved by: Gordon Ross <gordon.w.ross@gmail.com>
Actions