* [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination
@ 2012-10-11 14:21 Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 1/3] libcman: fix possible string nontermination: node name Jan Pokorný
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Jan Pokorný @ 2012-10-11 14:21 UTC (permalink / raw)
To: cluster-devel.redhat.com
Hello once more,
I discovered cases potentially leading to string overruns later
in the processing.
Jan Pokorn? (3):
libcman: fix possible string nontermination: node name
libcman: fix possible string nontermination: barrier name
libcman: fix possible string nontermination: barrier name
cman/lib/libcman.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--
1.7.11.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Cluster-devel] [PATCH 1/3] libcman: fix possible string nontermination: node name
2012-10-11 14:21 [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Jan Pokorný
@ 2012-10-11 14:21 ` Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 2/3] libcman: fix possible string nontermination: barrier name Jan Pokorný
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jan Pokorný @ 2012-10-11 14:21 UTC (permalink / raw)
To: cluster-devel.redhat.com
Haven't tested it, but it seems that if node.cn_name has 254 non-null
bytes (should be otherwise perfectly valid, actual characters number
may vary due to utf-8), it will pester later in the processing due
to not being null-terminated (depends whether 255th byte being
accidentally zero), strcmp in find_node_by_name being the first
troublesome place in row.
After this change and taking preceding condition into account,
the situation should be safe.
Signed-off-by: Jan Pokorn? <jpokorny@redhat.com>
---
cman/lib/libcman.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cman/lib/libcman.c b/cman/lib/libcman.c
index 6ed8ecb..012047d 100644
--- a/cman/lib/libcman.c
+++ b/cman/lib/libcman.c
@@ -685,7 +685,7 @@ int cman_get_node(cman_handle_t handle, int nodeid, cman_node_t *node)
}
cman_node.node_id = nodeid;
- strncpy(cman_node.name, node->cn_name, sizeof(cman_node.name) - 1);
+ strncpy(cman_node.name, node->cn_name, sizeof(cman_node.name));
status = info_call(h, CMAN_CMD_GETNODE, &cman_node, sizeof(struct cl_cluster_node),
&cman_node, sizeof(struct cl_cluster_node));
if (status < 0)
--
1.7.11.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [PATCH 2/3] libcman: fix possible string nontermination: barrier name
2012-10-11 14:21 [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 1/3] libcman: fix possible string nontermination: node name Jan Pokorný
@ 2012-10-11 14:21 ` Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 3/3] " Jan Pokorný
2012-10-11 14:36 ` [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Christine Caulfield
3 siblings, 0 replies; 5+ messages in thread
From: Jan Pokorný @ 2012-10-11 14:21 UTC (permalink / raw)
To: cluster-devel.redhat.com
Similar to node name case (separate changeset).
Signed-off-by: Jan Pokorn? <jpokorny@redhat.com>
---
cman/lib/libcman.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/cman/lib/libcman.c b/cman/lib/libcman.c
index 012047d..f27e726 100644
--- a/cman/lib/libcman.c
+++ b/cman/lib/libcman.c
@@ -912,7 +912,7 @@ int cman_barrier_register(cman_handle_t handle, const char *name, int flags, int
}
binfo.cmd = BARRIER_CMD_REGISTER;
- strncpy(binfo.name, name, sizeof(binfo.name) - 1);
+ strncpy(binfo.name, name, sizeof(binfo.name));
binfo.arg = nodes;
binfo.flags = flags;
@@ -933,7 +933,7 @@ int cman_barrier_change(cman_handle_t handle, const char *name, int flags, int a
}
binfo.cmd = BARRIER_CMD_CHANGE;
- strncpy(binfo.name, name, sizeof(binfo.name) - 1);
+ strncpy(binfo.name, name, sizeof(binfo.name));
binfo.arg = arg;
binfo.flags = flags;
@@ -954,7 +954,7 @@ int cman_barrier_wait(cman_handle_t handle, const char *name)
}
binfo.cmd = BARRIER_CMD_WAIT;
- strncpy(binfo.name, name, sizeof(binfo.name) - 1);
+ strncpy(binfo.name, name, sizeof(binfo.name));
return info_call(h, CMAN_CMD_BARRIER, &binfo, sizeof(binfo), NULL, 0);
}
@@ -972,7 +972,7 @@ int cman_barrier_delete(cman_handle_t handle, const char *name)
}
binfo.cmd = BARRIER_CMD_DELETE;
- strncpy(binfo.name, name, sizeof(binfo.name) - 1);
+ strncpy(binfo.name, name, sizeof(binfo.name));
return info_call(h, CMAN_CMD_BARRIER, &binfo, sizeof(binfo), NULL, 0);
}
--
1.7.11.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [PATCH 3/3] libcman: fix possible string nontermination: barrier name
2012-10-11 14:21 [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 1/3] libcman: fix possible string nontermination: node name Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 2/3] libcman: fix possible string nontermination: barrier name Jan Pokorný
@ 2012-10-11 14:21 ` Jan Pokorný
2012-10-11 14:36 ` [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Christine Caulfield
3 siblings, 0 replies; 5+ messages in thread
From: Jan Pokorný @ 2012-10-11 14:21 UTC (permalink / raw)
To: cluster-devel.redhat.com
Similar to node name case (separate changeset).
Signed-off-by: Jan Pokorn? <jpokorny@redhat.com>
---
cman/lib/libcman.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cman/lib/libcman.c b/cman/lib/libcman.c
index f27e726..d9d6c36 100644
--- a/cman/lib/libcman.c
+++ b/cman/lib/libcman.c
@@ -1131,6 +1131,6 @@ int cman_node_fenced(cman_handle_t handle, int nodeid, uint64_t time, char *agen
f.nodeid = nodeid;
f.fence_time = time;
- strncpy(f.fence_agent, agent, sizeof(f.fence_agent) - 1);
+ strncpy(f.fence_agent, agent, sizeof(f.fence_agent));
return info_call(h, CMAN_CMD_UPDATE_FENCE_INFO, &f, sizeof(f), NULL, 0);
}
--
1.7.11.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination
2012-10-11 14:21 [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Jan Pokorný
` (2 preceding siblings ...)
2012-10-11 14:21 ` [Cluster-devel] [PATCH 3/3] " Jan Pokorný
@ 2012-10-11 14:36 ` Christine Caulfield
3 siblings, 0 replies; 5+ messages in thread
From: Christine Caulfield @ 2012-10-11 14:36 UTC (permalink / raw)
To: cluster-devel.redhat.com
in RHEL6 those strings are copied using strcpy - I think it was changed
in the STABLE branch to strncpy after a coverity scan
TBH the original strcpy is quite safe as the strings come from internal
sources and are pre-validated.
Anyway, the arrays are allocated as size+1 so the strings will never
overflow.
NACK.
On 11/10/12 15:21, Jan Pokorn? wrote:
> Hello once more,
>
> I discovered cases potentially leading to string overruns later
> in the processing.
>
> Jan Pokorn? (3):
> libcman: fix possible string nontermination: node name
> libcman: fix possible string nontermination: barrier name
> libcman: fix possible string nontermination: barrier name
>
> cman/lib/libcman.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-11 14:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-11 14:21 [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 1/3] libcman: fix possible string nontermination: node name Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 2/3] libcman: fix possible string nontermination: barrier name Jan Pokorný
2012-10-11 14:21 ` [Cluster-devel] [PATCH 3/3] " Jan Pokorný
2012-10-11 14:36 ` [Cluster-devel] [PATCH 0/3] libcman: fix possible string nontermination Christine Caulfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.