[Cluster-devel] [PATCH 2/2] fsck.gfs2: Fix buffer overflow in get_lockproto_table

cluster-devel.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Andrew Price <anprice@redhat.com>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [PATCH 2/2] fsck.gfs2: Fix buffer overflow in get_lockproto_table
Date: Mon,  9 Jul 2012 17:06:52 +0100	[thread overview]
Message-ID: <1341850012-28904-2-git-send-email-anprice@redhat.com> (raw)
In-Reply-To: <1341850012-28904-1-git-send-email-anprice@redhat.com>

Coverity discovered a buffer overflow in this function where an overly
long cluster name in cluster.conf could cause a crash while repairing
the superblock. This patch fixes the bug by making sure the lock table
is composed sensibly, limiting the fsname to 16 chars as documented, and
only allowing the cluster name (which doesn't seem to have a documented
max size) to use the remaining space in the locktable name string.

Signed-off-by: Andrew Price <anprice@redhat.com>
---
 gfs2/fsck/initialize.c |   42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/gfs2/fsck/initialize.c b/gfs2/fsck/initialize.c
index f07e0b2..e56161e 100644
--- a/gfs2/fsck/initialize.c
+++ b/gfs2/fsck/initialize.c
@@ -753,12 +753,13 @@ static int init_system_inodes(struct gfs2_sbd *sdp)
 static int get_lockproto_table(struct gfs2_sbd *sdp)
 {
 	FILE *fp;
-	char line[PATH_MAX], *p, *p2;
-	char fsname[PATH_MAX];
+	char line[PATH_MAX];
+	char *cluname, *end;
+	const char *fsname, *cfgfile = "/etc/cluster/cluster.conf";
 
 	memset(sdp->lockproto, 0, sizeof(sdp->lockproto));
 	memset(sdp->locktable, 0, sizeof(sdp->locktable));
-	fp = fopen("/etc/cluster/cluster.conf", "rt");
+	fp = fopen(cfgfile, "rt");
 	if (!fp) {
 		/* no cluster.conf; must be a stand-alone file system */
 		strcpy(sdp->lockproto, "lock_nolock");
@@ -771,28 +772,29 @@ static int get_lockproto_table(struct gfs2_sbd *sdp)
 	log_warn(_("Lock protocol assumed to be: " GFS2_DEFAULT_LOCKPROTO
 		   "\n"));
 	strcpy(sdp->lockproto, GFS2_DEFAULT_LOCKPROTO);
+
 	while (fgets(line, sizeof(line) - 1, fp)) {
-		p = strstr(line,"<cluster name=");
-		if (p) {
-			p += 15;
-			p2 = strchr(p,'"');
-			strncpy(sdp->locktable, p, p2 - p);
+		cluname = strstr(line,"<cluster name=");
+		if (cluname) {
+			cluname += 15;
+			end = strchr(cluname,'"');
+			if (end)
+				*end = '\0';
 			break;
 		}
 	}
-	if (sdp->locktable[0] == '\0') {
-		log_err(_("Error: Unable to determine cluster name from "
-			  "/etc/cluster.conf\n"));
+	if (cluname == NULL || end == NULL || end - cluname < 1) {
+		log_err(_("Error: Unable to determine cluster name from %s\n"),
+		                                                      cfgfile);
 	} else {
-		memset(fsname, 0, sizeof(fsname));
-		p = strrchr(opts.device, '/');
-		if (p) {
-			p++;
-			strncpy(fsname, p, sizeof(fsname));
-		} else
-			strcpy(fsname, "repaired");
-		strcat(sdp->locktable, ":");
-		strcat(sdp->locktable, fsname);
+		fsname = strrchr(opts.device, '/');
+		if (fsname)
+			fsname++;
+		else
+			fsname = "repaired";
+		snprintf(sdp->locktable, sizeof(sdp->locktable), "%.*s:%.16s",
+		         (int)(sizeof(sdp->locktable) - strlen(fsname) - 2),
+		         cluname, fsname);
 		log_warn(_("Lock table determined to be: %s\n"),
 			 sdp->locktable);
 	}
-- 
1.7.10.4

next prev parent reply	other threads:[~2012-07-09 16:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-09 16:06 [Cluster-devel] [PATCH 1/2] mkfs.gfs2: Avoid a rename race when checking file contents Andrew Price
2012-07-09 16:06 ` Andrew Price [this message]
2012-07-12 16:08   ` [Cluster-devel] [PATCH 2/2] fsck.gfs2: Fix buffer overflow in get_lockproto_table Bob Peterson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f07e0b2 dfblob:e56161e )
 OR (
bs:"[Cluster-devel] [PATCH 2/2] fsck.gfs2: Fix buffer overflow in get_lockproto_table" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1341850012-28904-2-git-send-email-anprice@redhat.com \
    --to=anprice@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).