Overview

File U_14-Strict-check-on-message-size-to-prevent-message-extension-attacks.patch of Package slurm.32299

From: Tim Wickberg <tim@schedmd.com>
Date: Wed Nov 29 10:33:17 2023 -0700
Subject: [PATCH 14/28]Strict check on message size to prevent message extension attacks.
Patch-mainline: Upstream
Git-repo: https://github.com/SchedMD/slurm
Git-commit: b4d8335f9f0a73150290a08ff5fd7a48617b8e91
References: bsc#1218046, bsc#1218050, bsc#1218051, bsc#1218053
Signed-off-by: Egbert Eich <eich@suse.de>

CVE-2023-49933.

Signed-off-by: Egbert Eich <eich@suse.com>
---
 NEWS                            |  2 ++
 src/common/slurm_protocol_api.c | 12 +++---------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index 5f5fbf5ea7..75a81f3311 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ documents those changes that are of interest to users and administrators.
 
 * Backported changes
 ====================
+ -- Prevent message extension attacks that could bypass the message hash.
+    CVE-2023-49933.
  -- Prevent NULL pointer dereference on size_valp overflow. CVE-2023-49936.
  -- Prevent double-xfree() on error in _unpack_node_reg_resp(). CVE-2023-49937.
  -- Fix filesystem handling race conditions that could lead to an attacker
diff --git a/src/common/slurm_protocol_api.c b/src/common/slurm_protocol_api.c
index 35d7b9e2a7..de389f1293 100644
--- a/src/common/slurm_protocol_api.c
+++ b/src/common/slurm_protocol_api.c
@@ -3479,7 +3479,7 @@ extern int slurm_unpack_received_msg(slurm_msg_t *msg, int fd, Buf buffer)
 
 	msg->body_offset =  get_buf_offset(buffer);
 
-	if ((header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, msg, auth_cred) ||
 	    (unpack_msg(msg, buffer) != SLURM_SUCCESS)) {
 		rc = ESLURM_PROTOCOL_INCOMPLETE_PACKET;
@@ -3757,7 +3757,7 @@ List slurm_receive_msgs(int fd, int steps, int timeout)
 	msg.msg_type = header.msg_type;
 	msg.flags = header.flags;
 
-	if ((header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, &msg, auth_cred) ||
 	    (unpack_msg(&msg, buffer) != SLURM_SUCCESS)) {
 		(void) g_slurm_auth_destroy(auth_cred);
@@ -4148,13 +4148,7 @@ int slurm_receive_msg_and_forward(int fd, slurm_addr_t *orig_addr,
 	msg->msg_type = header.msg_type;
 	msg->flags = header.flags;
 
-	if (header.msg_type == MESSAGE_COMPOSITE) {
-		slurm_send_rc_msg(msg, SLURM_SUCCESS);
-		msg_aggr_add_comp(buffer, auth_cred, &header);
-		goto total_return;
-	}
-
-	if ( (header.body_length > remaining_buf(buffer)) ||
+	if ((header.body_length != remaining_buf(buffer)) ||
 	    _check_hash(buffer, &header, msg, auth_cred) ||
 	     (unpack_msg(msg, buffer) != SLURM_SUCCESS) ) {
 		(void) g_slurm_auth_destroy(auth_cred);
openSUSE Build Service is sponsored by
Places