Fix crash in __pmDecodeCreds handling corrupt PDUs
authorNathan Scott <nathans@redhat.com>
Mon, 13 Aug 2012 01:28:42 +0000 (11:28 +1000)
committerNathan Scott <nathans@redhat.com>
Mon, 13 Aug 2012 01:28:42 +0000 (11:28 +1000)
commitcced6012b4b93bfb640a9678589ced5416743910
treefe5a81b209e76dce106ec214951c13b5d2ac8acb
parent89af63bedbf2d2acfb1def8259f823676a3ff1c7
Fix crash in __pmDecodeCreds handling corrupt PDUs

Resolve problem decoding the credentials PDU where the numcreds field
exceeds the number of elements actually contained in the PDU.

On 32-bit architectures, the size passed to malloc can be too small,
leading to a heap-based buffer overflow.  On 64-bit architectures,
the multiplication is performed with 64 bits, so no overflow occurs,
and the crash happens because __pmDecodeCreds reads beyond the end of
an allocated buffer.

Original report and patch review by Florian Weimer with the Red Hat
Security Team.  Red Hat bugzilla bug #840822.

Security advisory CVE-2012-3418.
src/libpcp/src/p_creds.c