[dm-devel] [PATCH 16/39] libmultipath: fixup possible buffer overflow in alua_rtpg.c

Thu, 16 Jun 2016 02:51:08 -0700 

We need to reserve an additional 4 bytes for the length of
the response buffer, so add a proper range check to avoid
accidental wrap-arounds.
Found by coverity.

Signed-off-by: Hannes Reinecke <[email protected]>
---
 libmultipath/prioritizers/alua_rtpg.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libmultipath/prioritizers/alua_rtpg.c 
b/libmultipath/prioritizers/alua_rtpg.c
index 636aae5..22b0d4f 100644
--- a/libmultipath/prioritizers/alua_rtpg.c
+++ b/libmultipath/prioritizers/alua_rtpg.c
@@ -15,6 +15,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <sys/ioctl.h>
 #include <inttypes.h>
 #include <libudev.h>
@@ -219,6 +220,9 @@ get_target_port_group(struct path * pp)
                        goto out;
 
                scsi_buflen = (buf[2] << 8 | buf[3]) + 4;
+               /* Paranoia */
+               if (scsi_buflen >= USHRT_MAX)
+                       scsi_buflen = USHRT_MAX;
                if (buflen < scsi_buflen) {
                        free(buf);
                        buf = (unsigned char *)malloc(scsi_buflen);
@@ -303,7 +307,7 @@ get_asymmetric_access_state(int fd, unsigned int tpg)
        struct rtpg_tpg_dscr *  dscr;
        int                     rc;
        int                     buflen;
-       uint32_t                scsi_buflen;
+       uint64_t                scsi_buflen;
 
        buflen = 4096;
        buf = (unsigned char *)malloc(buflen);
@@ -317,6 +321,8 @@ get_asymmetric_access_state(int fd, unsigned int tpg)
        if (rc < 0)
                goto out;
        scsi_buflen = (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) + 4;
+       if (scsi_buflen > UINT_MAX)
+               scsi_buflen = UINT_MAX;
        if (buflen < scsi_buflen) {
                free(buf);
                buf = (unsigned char *)malloc(scsi_buflen);
-- 
2.6.6

--
dm-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/dm-devel

Reply via email to