Project

General

Profile

Bug #8238

xdr_callmsg() should clear residual bytes

Added by Marcel Telka over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
networking
Start date:
2017-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

The xdr_callmsg() function is not zeroing the residual bytes for both credential and verifier in the in-line XDR encoding code path. This violates RFC 4506 (Section 4.10) and could leak some uninitialized and thus possibly sensitive data over the wire.

We should modify both implementations of xdr_callmsg() to properly zero the residual bytes. Similarly as xdr_replymsg() does for the verifier residual bytes.


Files

test.c (1.65 KB) test.c Marcel Telka, 2017-05-16 09:08 AM

History

#1

Updated by Marcel Telka over 2 years ago

To reproduce the problem run the attached test. It will show either leaked sensitive data (ee) or just a garbage (aa) in the encoded stream.

$ ./test 
11223344
00000000
00000002
00000005
00000006
00000007
00000008
00000005
66666666
66eeeeee
00000009
00000005
77777777
77eeeeee
$
#3

Updated by Marcel Telka over 2 years ago

  • Status changed from In Progress to Pending RTI
#4

Updated by Electric Monk over 2 years ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 0 to 100

git commit 45681b8b0e59cad83c1547d78e25d4b7f218d635

commit  45681b8b0e59cad83c1547d78e25d4b7f218d635
Author: Marcel Telka <marcel@telka.sk>
Date:   2017-05-29T16:28:55.000Z

    8238 xdr_callmsg() should clear residual bytes
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Yuri Pankov <yuripv@gmx.com>
    Reviewed by: Gary Mills <gary_mills@fastmail.fm>
    Approved by: Robert Mustacchi <rm@joyent.com>

Also available in: Atom PDF