File U_14-Strict-check-on-message-size-to-prevent-message-extension-attacks.patch of Package slurm.32296
From: Tim Wickberg <tim@schedmd.com>
Date: Wed Nov 29 10:33:17 2023 -0700
Subject: [PATCH 14/28]Strict check on message size to prevent message extension attacks.
Patch-mainline: Upstream
Git-repo: https://github.com/SchedMD/slurm
Git-commit: ed1dd2c341894dc69c5ba9e29dc64e3cfdcaaaa3
References: bsc#1218046, bsc#1218050, bsc#1218051, bsc#1218053
Signed-off-by: Egbert Eich <eich@suse.de>
CVE-2023-49933.
Signed-off-by: Egbert Eich <eich@suse.com>
---
 NEWS                            | 2 ++
 src/common/slurm_protocol_api.c | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/NEWS b/NEWS
index b8902e238b..908cca0ca3 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ documents those changes that are of interest to users and administrators.
 
 * Backported changes
 ====================
+ -- Prevent message extension attacks that could bypass the message hash.
+    CVE-2023-49933.
  -- Prevent NULL pointer dereference on size_valp overflow. CVE-2023-49936.
  -- Prevent double-xfree() on error in _unpack_node_reg_resp(). CVE-2023-49937.
  -- Fix filesystem handling race conditions that could lead to an attacker
diff --git a/src/common/slurm_protocol_api.c b/src/common/slurm_protocol_api.c
index 441bf4675a..a727f7e94b 100644
--- a/src/common/slurm_protocol_api.c
+++ b/src/common/slurm_protocol_api.c
@@ -1014,7 +1014,7 @@ extern int slurm_unpack_received_msg(slurm_msg_t *msg, int fd, Buf buffer)
 
 	msg->body_offset =  get_buf_offset(buffer);
 
-	if ((header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, msg, auth_cred) ||
 	    (unpack_msg(msg, buffer) != SLURM_SUCCESS)) {
 		rc = ESLURM_PROTOCOL_INCOMPLETE_PACKET;
@@ -1279,7 +1279,7 @@ List slurm_receive_msgs(int fd, int steps, int timeout)
 	msg.msg_type = header.msg_type;
 	msg.flags = header.flags;
 
-	if ((header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, &msg, auth_cred) ||
 	    (unpack_msg(&msg, buffer) != SLURM_SUCCESS)) {
 		(void) g_slurm_auth_destroy(auth_cred);
@@ -1647,7 +1647,7 @@ int slurm_receive_msg_and_forward(int fd, slurm_addr_t *orig_addr,
 	msg->msg_type = header.msg_type;
 	msg->flags = header.flags;
 
-	if ( (header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, msg, auth_cred) ||
 	     (unpack_msg(msg, buffer) != SLURM_SUCCESS) ) {
 		(void) g_slurm_auth_destroy(auth_cred);