From 69760f4094ca03c1e0f70b2a5d8112175f06a643 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 8 Apr 2014 09:58:21 -0700 Subject: [PATCH] Apply upstream security patches from OpenAFS 1.6.7 * Apply upstream security patches: - OPENAFS-SA-2014-001: Fix potential buffer overflow in the fileserver. (CVE-2014-0159) - Fix a potential DoS attack against Rx servers by avoiding suspending the listener thread when delaying connection abort messages. --- debian/changelog | 10 ++++++++++ src/rx/rx.c | 42 ++++++++++++++++++++++++++++------------ src/viced/afsfileprocs.c | 5 +++++ 3 files changed, 45 insertions(+), 12 deletions(-) diff --git a/debian/changelog b/debian/changelog index 098ded425..a5b096ae2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +openafs (1.6.1-3+deb7u2) wheezy-security; urgency=high + + * Apply upstream security patches: + - OPENAFS-SA-2014-001: Fix potential buffer overflow in the + fileserver. (CVE-2014-0159) + - Fix a potential DoS attack against Rx servers by avoiding suspending + the listener thread when delaying connection abort messages. + + -- Russ Allbery Tue, 08 Apr 2014 09:58:10 -0700 + openafs (1.6.1-3+deb7u1) wheezy-security; urgency=high * Apply upstream security patches: diff --git a/src/rx/rx.c b/src/rx/rx.c index 0ef85e52b..68ddfbaac 100644 --- a/src/rx/rx.c +++ b/src/rx/rx.c @@ -4767,6 +4767,30 @@ rxi_ReceiveAckPacket(struct rx_call *call, struct rx_packet *np, return np; } +/** + * Schedule a connection abort to be sent after some delay. + * + * @param[in] conn The connection to send the abort on. + * @param[in] msec The number of milliseconds to wait before sending. + * + * @pre conn_data_lock must be held + */ +static void +rxi_SendConnectionAbortLater(struct rx_connection *conn, int msec) +{ + struct clock when, now; + if (!conn->error) { + return; + } + if (!conn->delayedAbortEvent) { + clock_GetTime(&now); + when = now; + clock_Addmsec(&when, msec); + conn->delayedAbortEvent = + rxevent_PostNow(&when, &now, rxi_SendDelayedConnAbort, conn, 0); + } +} + /* Received a response to a challenge packet */ struct rx_packet * rxi_ReceiveResponsePacket(struct rx_connection *conn, @@ -4786,13 +4810,12 @@ rxi_ReceiveResponsePacket(struct rx_connection *conn, error = RXS_CheckResponse(conn->securityObject, conn, np); if (error) { /* If the response is invalid, reset the connection, sending - * an abort to the peer */ -#ifndef KERNEL - rxi_Delay(1); -#endif + * an abort to the peer. Send the abort with a 1 second delay, + * to avoid a peer hammering us by constantly recreating a + * connection with bad credentials. */ rxi_ConnectionError(conn, error); MUTEX_ENTER(&conn->conn_data_lock); - np = rxi_SendConnectionAbort(conn, np, istack, 0); + rxi_SendConnectionAbortLater(conn, 1000); MUTEX_EXIT(&conn->conn_data_lock); return np; } else { @@ -5182,7 +5205,6 @@ rxi_SendConnectionAbort(struct rx_connection *conn, struct rx_packet *packet, int istack, int force) { afs_int32 error; - struct clock when, now; if (!conn->error) return packet; @@ -5204,12 +5226,8 @@ rxi_SendConnectionAbort(struct rx_connection *conn, RX_PACKET_TYPE_ABORT, (char *)&error, sizeof(error), istack); MUTEX_ENTER(&conn->conn_data_lock); - } else if (!conn->delayedAbortEvent) { - clock_GetTime(&now); - when = now; - clock_Addmsec(&when, rxi_connAbortDelay); - conn->delayedAbortEvent = - rxevent_PostNow(&when, &now, rxi_SendDelayedConnAbort, conn, 0); + } else { + rxi_SendConnectionAbortLater(conn, rxi_connAbortDelay); } return packet; } diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c index 17224b935..13d4c4347 100644 --- a/src/viced/afsfileprocs.c +++ b/src/viced/afsfileprocs.c @@ -5846,6 +5846,11 @@ SRXAFS_GetStatistics64(struct rx_call *acall, afs_int32 statsVersion, ViceStatis if ((code = CallPreamble(acall, NOTACTIVECALL, &tcon, &thost))) goto Bad_GetStatistics64; + if (statsVersion != STATS64_VERSION) { + code = EINVAL; + goto Bad_GetStatistics64; + } + ViceLog(1, ("SAFS_GetStatistics64 Received\n")); Statistics->ViceStatistics64_val = malloc(statsVersion*sizeof(afs_int64)); -- 2.39.5