OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays

RPCs with unbounded arrays as inputs are susceptible to remote
denial-of-service (DOS) attacks.  A malicious client may submit an RPC
request with an arbitrarily large array, forcing the server to expend
large amounts of network bandwidth, cpu cycles, and heap memory to
unmarshal the input.

Instead, issue an error message and stop rxgen when it detects an RPC
defined with an unbounded input array.  Thus we will detect the problem
at build time and prevent any future unbounded input arrays.

(cherry picked from commit a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6)

Change-Id: I4c60c4776d7f02ea9790b76b49e7325d9c55f31d

diff --git a/src/rxgen/rpc_parse.c b/src/rxgen/rpc_parse.c
index ab26c954a4670837c5410945c2bd182c9eb61b2b..f5d7c703387b3e103180309ccff180bc55afb01f 100644 (file)
--- a/src/rxgen/rpc_parse.c
+++ b/src/rxgen/rpc_parse.c
@@ -411,6 +411,9 @@ get_declaration(declaration * dec, defkind dkind)
        }
        dec->rel = REL_ARRAY;
        if (peekscan(TOK_RANGLE, &tok)) {
+           if ((dkind == DEF_INPARAM) || (dkind == DEF_INOUTPARAM)) {
+               error("input arrays must specify a max size");
+           }
            dec->array_max = "~0u";     /* unspecified size, use max */
        } else {
            scan_num(&tok);
@@ -953,7 +956,7 @@ hdle_param_tok(definition * defp, declaration * dec, token * tokp,
     Proc_list->component_kind = DEF_PARAM;
     Proc_list->code = alloc(250);
     Proc_list->scode = alloc(250);
-    get_declaration(dec, DEF_PARAM);
+    get_declaration(dec, par_kind);
     Proc_list->pl.param_name = dec->name;
     get1_param_type(defp, dec, &Proc_list->pl.param_type);
     print_param(dec);