Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
slurm
U_12-Protect-against-overflow-of-size_valp.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_12-Protect-against-overflow-of-size_valp.patch of Package slurm
From: Tim Wickberg <tim@schedmd.com> Date: Tue Nov 28 23:20:13 2023 -0700 Subject: [PATCH 12/28]Protect against overflow of size_valp. Patch-mainline: Upstream Git-repo: https://github.com/SchedMD/slurm Git-commit: 4d1dd822b919e3d82dca1cfb283d616ee1ba6a04 References: bsc#1218046, bsc#1218050, bsc#1218051, bsc#1218053 Signed-off-by: Egbert Eich <eich@suse.de> Since we want to NULL-terminate the array, we need to ensure *size_valp is not 0xffffffff as the + 1 would wrap to 0. The allocation would succeed, and then we'd NULL-dereference immediately in the for loop and crash. MAX_PACK_MEM_LEN is somewhat arbitrary, but sufficient for this check. CVE-2023-49936. # Conflicts: # NEWS # src/common/pack.c --- NEWS | 1 + src/common/pack.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index e76209f947..5f5fbf5ea7 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,7 @@ documents those changes that are of interest to users and administrators. * Backported changes ==================== + -- Prevent NULL pointer dereference on size_valp overflow. CVE-2023-49936. -- Prevent double-xfree() on error in _unpack_node_reg_resp(). CVE-2023-49937. -- Fix filesystem handling race conditions that could lead to an attacker taking control of an arbitrary file, or removing entire directories' diff --git a/src/common/pack.c b/src/common/pack.c index 379f910df2..d982f654bd 100644 --- a/src/common/pack.c +++ b/src/common/pack.c @@ -1112,7 +1112,7 @@ int unpackstr_array(char ***valp, uint32_t * size_valp, Buf buffer) if (*size_valp > MAX_ARRAY_LEN_MEDIUM) { error("%s: Buffer to be unpacked is too large (%u > %u)", __func__, *size_valp, MAX_ARRAY_LEN_MEDIUM); - return SLURM_ERROR; + goto unpack_error; } safe_xcalloc(*valp, *size_valp + 1, sizeof(char *));
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor