Bug#681647: bindfs: Invalid memory access

Sun, 15 Jul 2012 02:39:14 -0700

Thanks Marcelo. It's embarassing how many memory bugs I've put into bindfs recently.
1.10.7 should be clean (ran test suite with valgrind), but if you want to base off 1.10.3 due to a feature freeze or something, then please use the attached two patches instead. One is a more comprehensive fix to readdir that can handle any failure of pathconf for any reason. The other fixes another serious memory error in 1.10.3. 


Thanks and my apologies.

Martin


--- bindfs-1.10.3/src/bindfs.c	2012-05-18 16:45:33.000000000 +0300
+++ bindfs-new/src/bindfs.c	2012-07-15 12:12:39.748468808 +0300
@@ -54,6 +54,7 @@
 #include <assert.h>
 #include <pwd.h>
 #include <grp.h>
+#include <limits.h>
 #ifdef HAVE_SETXATTR
 #include <sys/xattr.h>
 #endif
@@ -399,9 +400,16 @@
     struct dirent *de;
     struct stat st;
     int result = 0;
-    (void) path;
+    long pc_ret;
     
-    de_buf = malloc(offsetof(struct dirent, d_name) + pathconf(path, _PC_NAME_MAX) + 1);
+    path = process_path(path);
+    
+    pc_ret = pathconf(path, _PC_NAME_MAX);
+    if (pc_ret < 0) {
+        DPRINTF("pathconf failed: %d", errno);
+        pc_ret = NAME_MAX;
+    }
+    de_buf = malloc(offsetof(struct dirent, d_name) + pc_ret + 1);
     
     seekdir(dp, offset);
     while (1) {

--- bindfs-1.10.3/src/usermap.c	2012-05-18 16:45:33.000000000 +0300
+++ bindfs-1.10.4/src/usermap.c	2012-06-18 08:57:55.000000000 +0300
@@ -44,7 +44,11 @@
         return usermap_status_ok;
     }
     if (map->user_size == map->user_capacity) {
-        map->user_capacity *= 2;
+        if (map->user_capacity == 0) {
+            map->user_capacity = 8;
+        } else {
+            map->user_capacity *= 2;
+        }
         map->user_from = (uid_t*)realloc(map->user_from, map->user_capacity * sizeof(uid_t));
         map->user_to = (uid_t*)realloc(map->user_to, map->user_capacity * sizeof(uid_t));
     }
@@ -65,7 +69,11 @@
         return usermap_status_ok;
     }
     if (map->group_size == map->group_capacity) {
-        map->group_capacity *= 2;
+        if (map->group_capacity == 0) {
+            map->group_capacity = 8;
+        } else {
+            map->group_capacity *= 2;
+        }
         map->group_from = (gid_t*)realloc(map->group_from, map->group_capacity * sizeof(gid_t));
         map->group_to = (gid_t*)realloc(map->group_to, map->group_capacity * sizeof(gid_t));
     }






















					Reply via email to