From: Russ Allbery Date: Tue, 8 Apr 2014 17:16:53 +0000 (-0700) Subject: Apply upstream security patches from OpenAFS 1.6.7 X-Git-Tag: debian/1.4.12.1+dfsg-4+squeeze3^0 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=f80c02ad9926b566e8e24092dbec80e0bc0454e4;p=packages%2Fo%2Fopenafs.git Apply upstream security patches from OpenAFS 1.6.7 * Apply upstream security patches: - OPENAFS-SA-2014-001: Fix potential buffer overflow in the fileserver. (CVE-2014-0159) - Fix a potential DoS attack against Rx servers by delaying connection aborts instead of responding immediately. --- diff --git a/debian/changelog b/debian/changelog index 5aa26cbc0..8cc6680ce 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +openafs (1.4.12.1+dfsg-4+squeeze3) squeeze-security; urgency=high + + * Apply upstream security patches: + - OPENAFS-SA-2014-001: Fix potential buffer overflow in the + fileserver. (CVE-2014-0159) + - Fix a potential DoS attack against Rx servers by avoiding suspending + the listener thread when delaying connection abort messages. + + -- Russ Allbery Tue, 08 Apr 2014 10:16:09 -0700 + openafs (1.4.12.1+dfsg-4+squeeze2) squeeze-security; urgency=high * Apply upstream security patches: diff --git a/src/rx/rx.c b/src/rx/rx.c index 4eba8a563..75fbc0377 100644 --- a/src/rx/rx.c +++ b/src/rx/rx.c @@ -3977,6 +3977,30 @@ rxi_ReceiveAckPacket(register struct rx_call *call, struct rx_packet *np, return np; } +/** + * Schedule a connection abort to be sent after some delay. + * + * @param[in] conn The connection to send the abort on. + * @param[in] msec The number of milliseconds to wait before sending. + * + * @pre conn_data_lock must be held + */ +static void +rxi_SendConnectionAbortLater(struct rx_connection *conn, int msec) +{ + struct clock when, now; + if (!conn->error) { + return; + } + if (!conn->delayedAbortEvent) { + clock_GetTime(&now); + when = now; + clock_Addmsec(&when, msec); + conn->delayedAbortEvent = + rxevent_PostNow(&when, &now, rxi_SendDelayedConnAbort, conn, 0); + } +} + /* Received a response to a challenge packet */ struct rx_packet * rxi_ReceiveResponsePacket(register struct rx_connection *conn, @@ -3996,13 +4020,12 @@ rxi_ReceiveResponsePacket(register struct rx_connection *conn, error = RXS_CheckResponse(conn->securityObject, conn, np); if (error) { /* If the response is invalid, reset the connection, sending - * an abort to the peer */ -#ifndef KERNEL - rxi_Delay(1); -#endif + * an abort to the peer. Send the abort with a 1 second delay, + * to avoid a peer hammering us by constantly recreating a + * connection with bad credentials. */ rxi_ConnectionError(conn, error); MUTEX_ENTER(&conn->conn_data_lock); - np = rxi_SendConnectionAbort(conn, np, istack, 0); + rxi_SendConnectionAbortLater(conn, 1000); MUTEX_EXIT(&conn->conn_data_lock); return np; } else { @@ -4357,7 +4380,6 @@ rxi_SendConnectionAbort(register struct rx_connection *conn, struct rx_packet *packet, int istack, int force) { afs_int32 error; - struct clock when, now; if (!conn->error) return packet; @@ -4379,12 +4401,8 @@ rxi_SendConnectionAbort(register struct rx_connection *conn, RX_PACKET_TYPE_ABORT, (char *)&error, sizeof(error), istack); MUTEX_ENTER(&conn->conn_data_lock); - } else if (!conn->delayedAbortEvent) { - clock_GetTime(&now); - when = now; - clock_Addmsec(&when, rxi_connAbortDelay); - conn->delayedAbortEvent = - rxevent_PostNow(&when, &now, rxi_SendDelayedConnAbort, conn, 0); + } else { + rxi_SendConnectionAbortLater(conn, rxi_connAbortDelay); } return packet; } diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c index 92338b424..2f29eafc9 100644 --- a/src/viced/afsfileprocs.c +++ b/src/viced/afsfileprocs.c @@ -5695,7 +5695,7 @@ SRXAFS_GetStatistics64(struct rx_call *acall, afs_int32 statsVersion, ViceStatis #endif /* FS_STATS_DETAILED */ if ((code = CallPreamble(acall, NOTACTIVECALL, &tcon, &thost))) goto Bad_GetStatistics64; - if (statsVersion > STATS64_VERSION) + if (statsVersion != STATS64_VERSION) goto Bad_GetStatistics64; ViceLog(1, ("SAFS_GetStatistics64 Received\n")); Statistics->ViceStatistics64_val =