Ticket 7744

Hi Regine,

I have another related issue with the same problem. The fact that we're not using MAX_PACK_MEM_LEN as is is because a malloc can fail if it is too big.
A temporary fix is just to increase the order of magnitude of MAX_ARRAY_LEN_LARGE by 1.
I am reevaluating what is better, whether to be consistent with MAX_PACK_MEM_LEN or just limit the malloc to another value.
Will inform when it is fixed.

Thanks for reporting.


Besides this, you missed some parts on your patch:

diff --git a/src/common/pack.c b/src/common/pack.c
index b995d77a0c..c92d1df757 100644
--- a/src/common/pack.c
+++ b/src/common/pack.c
@@ -860,9 +860,9 @@ int unpackmem_ptr(char **valp, uint32_t * size_valp, Buf buffer)
        *size_valp = ntohl(ns);
        buffer->processed += sizeof(ns);
 
-       if (*size_valp > MAX_ARRAY_LEN_LARGE) {
+       if (*size_valp > MAX_PACK_MEM_LEN) {
                error("%s: Buffer to be unpacked is too large (%u > %u)",
-                     __func__, *size_valp, MAX_ARRAY_LEN_LARGE);
+                     __func__, *size_valp, MAX_PACK_MEM_LEN);
                return SLURM_ERROR;
        }
        else if (*size_valp > 0) {
@@ -895,9 +895,9 @@ int unpackmem(char *valp, uint32_t * size_valp, Buf buffer)
        *size_valp = ntohl(ns);
        buffer->processed += sizeof(ns);
 
-       if (*size_valp > MAX_ARRAY_LEN_LARGE) {
+       if (*size_valp > MAX_PACK_MEM_LEN) {
                error("%s: Buffer to be unpacked is too large (%u > %u)",
-                     __func__, *size_valp, MAX_ARRAY_LEN_LARGE);
+                     __func__, *size_valp, MAX_PACK_MEM_LEN);
                return SLURM_ERROR;
        }
        else if (*size_valp > 0) {
@@ -930,9 +930,9 @@ int unpackmem_xmalloc(char **valp, uint32_t * size_valp, Buf buffer)
        *size_valp = ntohl(ns);
        buffer->processed += sizeof(ns);
 
-       if (*size_valp > MAX_ARRAY_LEN_LARGE) {
+       if (*size_valp > MAX_PACK_MEM_LEN) {
                error("%s: Buffer to be unpacked is too large (%u > %u)",
-                     __func__, *size_valp, MAX_ARRAY_LEN_LARGE);
+                     __func__, *size_valp, MAX_PACK_MEM_LEN);
                return SLURM_ERROR;
        }
        else if (*size_valp > 0) {
@@ -966,9 +966,9 @@ int unpackmem_malloc(char **valp, uint32_t * size_valp, Buf buffer)
        memcpy(&ns, &buffer->head[buffer->processed], sizeof(ns));
        *size_valp = ntohl(ns);
        buffer->processed += sizeof(ns);
-       if (*size_valp > MAX_ARRAY_LEN_SMALL) {
+       if (*size_valp > MAX_PACK_MEM_LEN) {
                error("%s: Buffer to be unpacked is too large (%u > %u)",
-                     __func__, *size_valp, MAX_ARRAY_LEN_SMALL);
+                     __func__, *size_valp, MAX_PACK_MEM_LEN);
                return SLURM_ERROR;
        }
        else if (*size_valp > 0) {

Definitively we want to limit the max unpacked size.

One with bad intentions could create some code that sends a message to slurmctld with large data in the packet and could try to crash the controller.
The way to protect this is to limit the unpack function.

I have a patch pending for review to increase one order of magnitude of MAX_ARRAY_LEN_LARGE.

I am now marking this issue as duplicate of a private one we already have. You should receive a notification when the issue is fixed.
For the moment and to be safe you can increase MAX_ARRAY_LEN_LARGE:	

 	
-#define MAX_ARRAY_LEN_LARGE	 10000000
+#define MAX_ARRAY_LEN_LARGE	100000000

*** This ticket has been marked as a duplicate of ticket 7495 ***