LU-4047 build: fix 'memory' errors

Fix 'memory corruption' defects found by Coverity version 6.6.1:
Out-of-bounds write (OVERRUN)
Overrunning array at byte offset using index.
Fix 'memory illegal accesses' defects found by Coverity version 6.6.1:
Read from pointer after free (USE_AFTER_FREE)
Dereferencing freed pointer.
Readlink used insecurely (READLINK)
buffer[sizeof(buffer)] is an off-by-one error.

Signed-off-by: Sebastien Buisson <sebastien.buisson@bull.net>
Change-Id: I91af9fae93f89275cf6d3ad97bdc37958c0d709e
Reviewed-on: http://review.whamcloud.com/7822
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/quota/qsd_writeback.c b/lustre/quota/qsd_writeback.c
index 19f9f17..aa7e005 100644 (file)
--- a/lustre/quota/qsd_writeback.c
+++ b/lustre/quota/qsd_writeback.c
@@ -126,9 +126,7 @@ static void qsd_add_deferred(struct qsd_instance *qsd, cfs_list_t *list,
                                     "with ver:"LPU64"", tmp->qur_ver);
                        cfs_list_del_init(&tmp->qur_link);
                        qsd_upd_free(tmp);
-               }
-
-               if (upd->qur_ver < tmp->qur_ver) {
+               } else if (upd->qur_ver < tmp->qur_ver) {
                        continue;
                } else {
                        cfs_list_add_tail(&upd->qur_link, &tmp->qur_link);

diff --git a/lustre/utils/lhsmtool_posix.c b/lustre/utils/lhsmtool_posix.c
index c283e63..0709264 100644 (file)
--- a/lustre/utils/lhsmtool_posix.c
+++ b/lustre/utils/lhsmtool_posix.c
@@ -934,7 +934,7 @@ static int ct_archive(const struct hsm_action_item *hai, const long hal_flags)
                int              linkno = 0;
                char            *ptr;
                int              depth = 0;
-               int              sz;
+               ssize_t          sz;
 
                sprintf(buf, DFID, PFID(&hai->hai_fid));
                sprintf(src, "%s/shadow/", opt.o_hsm_root);
@@ -968,6 +968,12 @@ static int ct_archive(const struct hsm_action_item *hai, const long hal_flags)
                }
                /* symlink already exists ? */
                sz = readlink(src, buf, sizeof(buf));
+               /* detect truncation */
+               if (sz == sizeof(buf)) {
+                       rcf = rcf ? rcf : -E2BIG;
+                       CT_ERROR(rcf, "readlink '%s' truncated", src);
+                       goto fini_minor;
+               }
                if (sz >= 0) {
                        buf[sz] = '\0';
                        if (sz == 0 || strncmp(buf, dst, sz) != 0) {