From: bobijam Date: Thu, 27 Sep 2007 02:52:19 +0000 (+0000) Subject: Branch b1_6 X-Git-Tag: v1_8_0_110~1162 X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=b7292703957bcf6938777118a2c5f0ecb6f3d693;p=fs%2Flustre-release.git Branch b1_6 b=12948 i= wangdi, johann Description: buffer overruns could theoretically occur Details : llapi_semantic_traverse() modifies the "path" argument by appending values to the end of the origin string, and a buffer overrun may occur. Adding buffer overrun check in liblustreapi. --- diff --git a/lustre/ChangeLog b/lustre/ChangeLog index 4a858ef..0513b7e 100644 --- a/lustre/ChangeLog +++ b/lustre/ChangeLog @@ -69,6 +69,13 @@ Details : If a new ldiskfs filesystem is created with the "uninit_groups" "bg_unused_inodes" count is incorrectly updated. Creating a second inode in that group would update it correctly. +Severity : minor +Bugzilla : 12948 +Description: buffer overruns could theoretically occur +Details : llapi_semantic_traverse() modifies the "path" argument by + appending values to the end of the origin string, and a buffer + overrun may occur. Adding buffer overrun check in liblustreapi. + -------------------------------------------------------------------------------- 2007-09-27 Cluster File Systems, Inc. diff --git a/lustre/utils/liblustreapi.c b/lustre/utils/liblustreapi.c index e61d811..a59b0db 100644 --- a/lustre/utils/liblustreapi.c +++ b/lustre/utils/liblustreapi.c @@ -525,7 +525,7 @@ static DIR *opendir_parent(char *path) return parent; } -static int llapi_semantic_traverse(char *path, DIR *parent, +static int llapi_semantic_traverse(char *path, int size, DIR *parent, semantic_func_t sem_init, semantic_func_t sem_fini, void *data) { @@ -559,6 +559,12 @@ static int llapi_semantic_traverse(char *path, DIR *parent, continue; path[len] = 0; + if ((len + dent->d_reclen + 2) > size) { + fprintf(stderr, + "error: %s: string buffer is too small\n", + __FUNCTION__); + break; + } strcat(path, "/"); strcat(path, dent->d_name); @@ -575,7 +581,7 @@ static int llapi_semantic_traverse(char *path, DIR *parent, * tool only makes sense for lustre filesystems. */ break; case DT_DIR: - ret = llapi_semantic_traverse(path, d, sem_init, + ret = llapi_semantic_traverse(path, size, d, sem_init, sem_fini, data); if (ret < 0) goto out; @@ -864,21 +870,33 @@ static int cb_common_fini(char *path, DIR *parent, DIR *d, void *data) int llapi_find(char *path, struct find_param *param) { - char buf[PATH_MAX + 1]; - int ret; + char *buf; + int ret, len = strlen(path); + + if (len > PATH_MAX) { + fprintf(stderr, "%s: Path name '%s' is too long.\n", + __FUNCTION__, path); + return -EINVAL; + } + + buf = (char *)malloc(PATH_MAX + 1); + if (!buf) + return -ENOMEM; ret = common_param_init(param); - if (ret) + if (ret) { + free(buf); return ret; + } param->depth = 0; - strncpy(buf, path, strlen(path)); - buf[strlen(path)] = '\0'; - ret = llapi_semantic_traverse(buf, NULL, cb_find_init, + strncpy(buf, path, PATH_MAX + 1); + ret = llapi_semantic_traverse(buf, PATH_MAX + 1, NULL, cb_find_init, cb_common_fini, param); find_param_fini(param); + free(buf); return ret < 0 ? ret : 0; } @@ -937,16 +955,32 @@ out: int llapi_getstripe(char *path, struct find_param *param) { - int ret = 0; + char *buf; + int ret = 0, len = strlen(path); + + if (len > PATH_MAX) { + fprintf(stderr, "%s: Path name '%s' is too long.\n", + __FUNCTION__, path); + return -EINVAL; + } + + buf = (char *)malloc(PATH_MAX + 1); + if (!buf) + return -ENOMEM; ret = common_param_init(param); - if (ret) + if (ret) { + free(buf); return ret; + } param->depth = 0; - ret = llapi_semantic_traverse(path, NULL, cb_getstripe, + + strncpy(buf, path, PATH_MAX + 1); + ret = llapi_semantic_traverse(buf, PATH_MAX + 1, NULL, cb_getstripe, cb_common_fini, param); find_param_fini(param); + free(buf); return ret < 0 ? ret : 0; } @@ -1257,7 +1291,18 @@ static int cb_quotachown(char *path, DIR *parent, DIR *d, void *data) int llapi_quotachown(char *path, int flag) { struct find_param param; - int ret = 0; + char *buf; + int ret = 0, len = strlen(path); + + if (len > PATH_MAX) { + fprintf(stderr, "%s: Path name '%s' is too long.\n", + __FUNCTION__, path); + return -EINVAL; + } + + buf = (char *)malloc(PATH_MAX + 1); + if (!buf) + return -ENOMEM; memset(¶m, 0, sizeof(param)); param.recursive = 1; @@ -1268,9 +1313,11 @@ int llapi_quotachown(char *path, int flag) if (ret) goto out; - ret = llapi_semantic_traverse(path, NULL, cb_quotachown, + strncpy(buf, path, PATH_MAX + 1); + ret = llapi_semantic_traverse(buf, PATH_MAX + 1, NULL, cb_quotachown, NULL, ¶m); out: find_param_fini(¶m); + free(buf); return ret; }