On Fri, 2018-09-21 at 18:05 -0500, Benjamin Marzinski wrote: > When get_vpd_sgio() finds out that the vpd info needed to be > truncated > to fit in the buffer, it doesn't trucate the size as well, which > allows > it to overwrite the buffer. Also, in once len is set to -ENODATA, > get_vpd_sgio() should exit, instead of using the negative len in > memcpy(). Found by coverity. > > Signed-off-by: Benjamin Marzinski <[email protected]>
Reviewed-by: Martin Wilck <[email protected]> > --- > libmultipath/discovery.c | 14 +++++++++----- > 1 file changed, 9 insertions(+), 5 deletions(-) > > diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c > index 0b1855d..3e0db7f 100644 > --- a/libmultipath/discovery.c > +++ b/libmultipath/discovery.c > @@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int > maxlen) > return -ENODATA; > } > buff_len = get_unaligned_be16(&buff[2]) + 4; > - if (buff_len > 4096) > + if (buff_len > 4096) { > condlog(3, "vpd pg%02x page truncated", pg); > - > + buff_len = 4096; > + } > if (pg == 0x80) > len = parse_vpd_pg80(buff, str, maxlen); > else if (pg == 0x83) > len = parse_vpd_pg83(buff, buff_len, str, maxlen); > else if (pg == 0xc9 && maxlen >= 8) { > - len = buff_len < 8 ? -ENODATA : > - (buff_len <= maxlen ? buff_len : maxlen); > - memcpy (str, buff, len); > + if (buff_len < 8) > + len = -ENODATA; > + else { > + len = (buff_len <= maxlen)? buff_len : maxlen; > + memcpy (str, buff, len); > + } > } else > len = -ENOSYS; > -- Dr. Martin Wilck <[email protected]>, Tel. +49 (0)911 74053 2107 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -- dm-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/dm-devel
