From: 10144149 <tang.wenj...@zte.com.cn>

Problem: multipathd dead when we run "show map spathx json" command with
system messages as follows:
Oct 13 11:37:30 rhel7-1 multipathd: *** Error in `/sbin/multipathd': realloc(): 
invalid next size: 0x00007f8cf8004210 ***
Oct 13 11:37:30 rhel7-1 multipathd: ======= Backtrace: =========
Oct 13 11:37:30 rhel7-1 multipathd: /lib64/libc.so.6(+0x7bc67)[0x7f8d06171c67]
Oct 13 11:37:30 rhel7-1 multipathd: /lib64/libc.so.6(+0x7fb17)[0x7f8d06175b17]
Oct 13 11:37:30 rhel7-1 multipathd: 
/lib64/libc.so.6(realloc+0xd2)[0x7f8d06176702]

Reasons: in function snprint_multipath_fields_json
vector_foreach_slot (pgp->paths, pp, j) {
       fwd += snprint_path(buff + fwd, len - fwd, PRINT_JSON_PATH, pp, 0);
       if (fwd > len)
            return fwd;

       fwd += snprint_json_elem_footer(buff + fwd,
                len - fwd, 3, j + 1 == VECTOR_SIZE(pgp->paths));
       if (fwd > len)
           return fwd;
}

snprint_path (char * line, int len, char * format, struct path * pp, int pad)

when len - fwd = 0 , The len is not restricted in snprint_path´╝îand the Memory 
of line is
rewritten in snprint_path, it cause realloc() failed , so fwd > len modify
fwd >= len.

Other commands also have this type of risk.

Signed-off-by: 10144149 <tang.wenj...@zte.com.cn>
---
 libmultipath/print.c | 131 ++++++++++++++++++++++++++-------------------------
 1 file changed, 66 insertions(+), 65 deletions(-)

diff --git a/libmultipath/print.c b/libmultipath/print.c
index 9aa41ad..78c065f 100644
--- a/libmultipath/print.c
+++ b/libmultipath/print.c
@@ -1004,11 +1004,11 @@ snprint_multipath_topology (char * buff, int len, 
struct multipath * mpp,
                c += sprintf(c, "%c[%dm", 0x1B, 0); /* bold off */
 
        fwd += snprint_multipath(buff + fwd, len - fwd, style, mpp, 1);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        fwd += snprint_multipath(buff + fwd, len - fwd, PRINT_MAP_PROPS, mpp,
                                 1);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        if (!mpp->pg)
@@ -1022,7 +1022,7 @@ snprint_multipath_topology (char * buff, int len, struct 
multipath * mpp,
                } else
                        strcpy(f, "`-+- " PRINT_PG_INDENT);
                fwd += snprint_pathgroup(buff + fwd, len - fwd, fmt, pgp);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
 
                vector_foreach_slot (pgp->paths, pp, i) {
@@ -1035,13 +1035,14 @@ snprint_multipath_topology (char * buff, int len, 
struct multipath * mpp,
                        else
                                strcpy(f, " `- " PRINT_PATH_INDENT);
                        fwd += snprint_path(buff + fwd, len - fwd, fmt, pp, 1);
-                       if (fwd > len)
+                       if (fwd >= len)
                                return len;
                }
        }
        return fwd;
 }
 
+
 static int
 snprint_json (char * buff, int len, int indent, char *json_str)
 {
@@ -1049,7 +1050,7 @@ snprint_json (char * buff, int len, int indent, char 
*json_str)
 
        for (i = 0; i < indent; i++) {
                fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_INDENT);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
        }
 
@@ -1063,7 +1064,7 @@ snprint_json_header (char * buff, int len)
        int fwd = 0;
 
        fwd +=  snprint_json(buff, len, 0, PRINT_JSON_START_ELEM);
-       if (fwd > len)
+       if (fwd >= len)
                return fwd;
 
        fwd +=  snprintf(buff + fwd, len  - fwd, PRINT_JSON_START_VERSION,
@@ -1078,7 +1079,7 @@ snprint_json_elem_footer (char * buff, int len, int 
indent, int last)
 
        for (i = 0; i < indent; i++) {
                fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_INDENT);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
        }
 
@@ -1098,50 +1099,50 @@ snprint_multipath_fields_json (char * buff, int len,
        struct pathgroup *pgp;
 
        fwd += snprint_multipath(buff, len, PRINT_JSON_MAP, mpp, 0);
-       if (fwd > len)
+       if (fwd >= len)
                return fwd;
 
        fwd += snprint_json(buff + fwd, len - fwd, 2, PRINT_JSON_START_GROUPS);
-       if (fwd > len)
+       if (fwd >= len)
                return fwd;
 
        vector_foreach_slot (mpp->pg, pgp, i) {
 
                pgp->selector = mpp->selector;
                fwd += snprint_pathgroup(buff + fwd, len - fwd, 
PRINT_JSON_GROUP, pgp);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
 
                fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_GROUP_NUM, i 
+ 1);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
 
                fwd += snprint_json(buff + fwd, len - fwd, 3, 
PRINT_JSON_START_PATHS);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
 
                vector_foreach_slot (pgp->paths, pp, j) {
                        fwd += snprint_path(buff + fwd, len - fwd, 
PRINT_JSON_PATH, pp, 0);
-                       if (fwd > len)
+                       if (fwd >= len)
                                return fwd;
 
                        fwd += snprint_json_elem_footer(buff + fwd,
                                        len - fwd, 3, j + 1 == 
VECTOR_SIZE(pgp->paths));
-                       if (fwd > len)
+                       if (fwd >= len)
                                return fwd;
                }
                fwd += snprint_json(buff + fwd, len - fwd, 0, 
PRINT_JSON_END_ARRAY);
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
 
                fwd +=  snprint_json_elem_footer(buff + fwd,
                                len - fwd, 2, i + 1 == VECTOR_SIZE(mpp->pg));
-               if (fwd > len)
+               if (fwd >= len)
                        return fwd;
        }
 
        fwd += snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_ARRAY);
-       if (fwd > len)
+       if (fwd >= len)
                return fwd;
 
        fwd += snprint_json_elem_footer(buff + fwd, len - fwd, 1, last);
@@ -1154,23 +1155,23 @@ snprint_multipath_map_json (char * buff, int len,
        int fwd = 0;
 
        fwd +=  snprint_json_header(buff, len);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_START_MAP);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd += snprint_multipath_fields_json(buff + fwd, len - fwd, mpp, 1);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd +=  snprint_json(buff + fwd, len - fwd, 0, "\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_LAST);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1182,26 +1183,26 @@ snprint_multipath_topology_json (char * buff, int len, 
struct vectors * vecs)
        struct multipath * mpp;
 
        fwd +=  snprint_json_header(buff, len);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd +=  snprint_json(buff + fwd, len  - fwd, 1, PRINT_JSON_START_MAPS);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        vector_foreach_slot(vecs->mpvec, mpp, i) {
                fwd += snprint_multipath_fields_json(buff + fwd, len - fwd,
                                mpp, i + 1 == VECTOR_SIZE(vecs->mpvec));
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
 
        fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_ARRAY);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_LAST);
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1225,16 +1226,16 @@ snprint_hwentry (struct config *conf, char * buff, int 
len, struct hwentry * hwe
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        iterate_sub_keywords(rootkw, kw, i) {
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                kw, hwe);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1252,15 +1253,15 @@ snprint_hwtable (struct config *conf, char * buff, int 
len, vector hwtable)
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "devices {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        vector_foreach_slot (hwtable, hwe, i) {
                fwd += snprint_hwentry(conf, buff + fwd, len - fwd, hwe);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1278,16 +1279,16 @@ snprint_mpentry (struct config *conf, char * buff, int 
len, struct mpentry * mpe
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "\tmultipath {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        iterate_sub_keywords(rootkw, kw, i) {
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                kw, mpe);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1305,15 +1306,15 @@ snprint_mptable (struct config *conf, char * buff, int 
len, vector mptable)
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "multipaths {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        vector_foreach_slot (mptable, mpe, i) {
                fwd += snprint_mpentry(conf, buff + fwd, len - fwd, mpe);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1331,19 +1332,19 @@ snprint_overrides (struct config *conf, char * buff, 
int len, struct hwentry *ov
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "overrides {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        if (!overrides)
                goto out;
        iterate_sub_keywords(rootkw, kw, i) {
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, NULL);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
 out:
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1361,17 +1362,17 @@ snprint_defaults (struct config *conf, char * buff, int 
len)
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "defaults {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        iterate_sub_keywords(rootkw, kw, i) {
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                kw, NULL);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1508,7 +1509,7 @@ snprint_blacklist (struct config *conf, char * buff, int 
len)
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "blacklist {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        vector_foreach_slot (conf->blist_devnode, ble, i) {
@@ -1517,7 +1518,7 @@ snprint_blacklist (struct config *conf, char * buff, int 
len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ble);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        vector_foreach_slot (conf->blist_wwid, ble, i) {
@@ -1526,7 +1527,7 @@ snprint_blacklist (struct config *conf, char * buff, int 
len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ble);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        vector_foreach_slot (conf->blist_property, ble, i) {
@@ -1535,7 +1536,7 @@ snprint_blacklist (struct config *conf, char * buff, int 
len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ble);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        rootkw = find_keyword(conf->keywords, rootkw->sub, "device");
@@ -1544,28 +1545,28 @@ snprint_blacklist (struct config *conf, char * buff, 
int len)
 
        vector_foreach_slot (conf->blist_device, bled, i) {
                fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                kw = find_keyword(conf->keywords, rootkw->sub, "vendor");
                if (!kw)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                       kw, bled);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                kw = find_keyword(conf->keywords, rootkw->sub, "product");
                if (!kw)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                       kw, bled);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1585,7 +1586,7 @@ snprint_blacklist_except (struct config *conf, char * 
buff, int len)
                return 0;
 
        fwd += snprintf(buff + fwd, len - fwd, "blacklist_exceptions {\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
 
        vector_foreach_slot (conf->elist_devnode, ele, i) {
@@ -1594,7 +1595,7 @@ snprint_blacklist_except (struct config *conf, char * 
buff, int len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ele);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        vector_foreach_slot (conf->elist_wwid, ele, i) {
@@ -1603,7 +1604,7 @@ snprint_blacklist_except (struct config *conf, char * 
buff, int len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ele);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        vector_foreach_slot (conf->elist_property, ele, i) {
@@ -1612,7 +1613,7 @@ snprint_blacklist_except (struct config *conf, char * 
buff, int len)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
                                       kw, ele);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        rootkw = find_keyword(conf->keywords, rootkw->sub, "device");
@@ -1621,28 +1622,28 @@ snprint_blacklist_except (struct config *conf, char * 
buff, int len)
 
        vector_foreach_slot (conf->elist_device, eled, i) {
                fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                kw = find_keyword(conf->keywords, rootkw->sub, "vendor");
                if (!kw)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                       kw, eled);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                kw = find_keyword(conf->keywords, rootkw->sub, "product");
                if (!kw)
                        return 0;
                fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
                                       kw, eled);
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
                fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-               if (fwd > len)
+               if (fwd >= len)
                        return len;
        }
        fwd += snprintf(buff + fwd, len - fwd, "}\n");
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1674,7 +1675,7 @@ snprint_status (char * buff, int len, struct vectors 
*vecs)
        fwd += snprintf(buff + fwd, len - fwd, "\npaths: %d\nbusy: %s\n",
                        monitored_count, is_uevent_busy()? "True" : "False");
 
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
@@ -1740,7 +1741,7 @@ snprint_devices (struct config *conf, char * buff, int 
len, struct vectors *vecs
        }
        closedir(blkdir);
 
-       if (fwd > len)
+       if (fwd >= len)
                return len;
        return fwd;
 }
-- 
2.8.1.windows.1


--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Reply via email to