The branch, master has been updated
via 1f269fc tdb: Add another overflow check to tdb_expand_adjust
via d9b4f19 tdb: Make tdb_recovery_allocate overflow-safe
via 8b215df tdb: Make tdb_recovery_size overflow-safe
via 7ae09a9 tdb: add proper OOM/ENOSPC handling to tdb_expand()
via 854c5f0 tdb: add overflow detection to tdb_expand_adjust()
via e19d46f tdb: add overflow/ENOSPC handling to tdb_expand_file()
via a07ba17 tdb: add a 'new_size' helper variable to tdb_expand_file()
via 4483bf1 tdb: Add overflow-checking tdb_add_off_t
from 42b0b27 param_table: Remove misleading allow dns updates options.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f269fcc6e2bb46b765d547eb1add2bc52272c47
Author: Volker Lendecke <[email protected]>
Date: Thu May 30 16:23:17 2013 +0200
tdb: Add another overflow check to tdb_expand_adjust
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Mon Jun 3 14:08:54 CEST 2013 on sn-devel-104
commit d9b4f19e73f241a1ccf64f04c3cc28d481550bb7
Author: Volker Lendecke <[email protected]>
Date: Thu May 30 15:54:58 2013 +0200
tdb: Make tdb_recovery_allocate overflow-safe
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit 8b215df4454883b3733733af4f49f87eb0a2a46a
Author: Volker Lendecke <[email protected]>
Date: Thu May 30 15:24:27 2013 +0200
tdb: Make tdb_recovery_size overflow-safe
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit 7ae09a9695bcc5fad606441db3ab6e413b9d48ce
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 28 13:04:29 2013 +0200
tdb: add proper OOM/ENOSPC handling to tdb_expand()
Failing to do so will result in corrupt tdbs: We will overwrite
the hash chain pointers with 0x42424242.
Pair-Programmed-With: Volker Lendecke <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit 854c5f0aac03c7c6d7e1b37997dcdc848fec1499
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 28 13:01:27 2013 +0200
tdb: add overflow detection to tdb_expand_adjust()
We round up at maximun to a new size of 4GB,
but still return at least the given size.
The caller has to deal with ENOSPC itself.
Pair-Programmed-With: Volker Lendecke <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit e19d46f7e31a32e2b5ae3ec05e13f32b8ac2109d
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 28 12:59:32 2013 +0200
tdb: add overflow/ENOSPC handling to tdb_expand_file()
Pair-Programmed-With: Volker Lendecke <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit a07ba17e0c91d726416db946e6f65b064b2d17ec
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 28 12:56:57 2013 +0200
tdb: add a 'new_size' helper variable to tdb_expand_file()
Pair-Programmed-With: Volker Lendecke <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
commit 4483bf143ddfee9ec07aed8f124559b00f757d9a
Author: Volker Lendecke <[email protected]>
Date: Thu May 30 14:52:59 2013 +0200
tdb: Add overflow-checking tdb_add_off_t
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Rusty Russell <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/tdb/common/io.c | 92 +++++++++++++++++++++++++++++++++++-------
lib/tdb/common/tdb.c | 11 +++++
lib/tdb/common/tdb_private.h | 4 ++
lib/tdb/common/transaction.c | 39 ++++++++++++++----
4 files changed, 123 insertions(+), 23 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/tdb/common/io.c b/lib/tdb/common/io.c
index a477fb5..11dfefd 100644
--- a/lib/tdb/common/io.c
+++ b/lib/tdb/common/io.c
@@ -287,26 +287,37 @@ int tdb_mmap(struct tdb_context *tdb)
static int tdb_expand_file(struct tdb_context *tdb, tdb_off_t size, tdb_off_t
addition)
{
char buf[8192];
+ tdb_off_t new_size;
if (tdb->read_only || tdb->traverse_read) {
tdb->ecode = TDB_ERR_RDONLY;
return -1;
}
- if (ftruncate(tdb->fd, size+addition) == -1) {
+ if (!tdb_add_off_t(size, addition, &new_size)) {
+ tdb->ecode = TDB_ERR_OOM;
+ TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file write "
+ "overflow detected current size[%u] addition[%u]!\n",
+ (unsigned)size, (unsigned)addition));
+ errno = ENOSPC;
+ return -1;
+ }
+
+ if (ftruncate(tdb->fd, new_size) == -1) {
char b = 0;
- ssize_t written = pwrite(tdb->fd, &b, 1, (size+addition) - 1);
+ ssize_t written = pwrite(tdb->fd, &b, 1, new_size - 1);
if (written == 0) {
/* try once more, potentially revealing errno */
- written = pwrite(tdb->fd, &b, 1, (size+addition) - 1);
+ written = pwrite(tdb->fd, &b, 1, new_size - 1);
}
if (written == 0) {
/* again - give up, guessing errno */
errno = ENOSPC;
}
if (written != 1) {
+ tdb->ecode = TDB_ERR_OOM;
TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file to %u
failed (%s)\n",
- size+addition, strerror(errno)));
+ (unsigned)new_size, strerror(errno)));
return -1;
}
}
@@ -324,12 +335,14 @@ static int tdb_expand_file(struct tdb_context *tdb,
tdb_off_t size, tdb_off_t ad
}
if (written == 0) {
/* give up, trying to provide a useful errno */
+ tdb->ecode = TDB_ERR_OOM;
TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file write "
"returned 0 twice: giving up!\n"));
errno = ENOSPC;
return -1;
}
if (written == -1) {
+ tdb->ecode = TDB_ERR_OOM;
TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file write of "
"%u bytes failed (%s)\n", (int)n,
strerror(errno)));
@@ -350,14 +363,32 @@ static int tdb_expand_file(struct tdb_context *tdb,
tdb_off_t size, tdb_off_t ad
/* You need 'size', this tells you how much you should expand by. */
tdb_off_t tdb_expand_adjust(tdb_off_t map_size, tdb_off_t size, int page_size)
{
- tdb_off_t new_size, top_size;
+ tdb_off_t new_size, top_size, increment;
+ tdb_off_t max_size = UINT32_MAX - map_size;
+
+ if (size > max_size) {
+ /*
+ * We can't round up anymore, just give back
+ * what we're asked for.
+ *
+ * The caller has to take care of the ENOSPC handling.
+ */
+ return size;
+ }
/* limit size in order to avoid using up huge amounts of memory for
* in memory tdbs if an oddball huge record creeps in */
if (size > 100 * 1024) {
- top_size = map_size + size * 2;
+ increment = size * 2;
} else {
- top_size = map_size + size * 100;
+ increment = size * 100;
+ }
+ if (increment < size) {
+ goto overflow;
+ }
+
+ if (!tdb_add_off_t(map_size, increment, &top_size)) {
+ goto overflow;
}
/* always make room for at least top_size more records, and at
@@ -368,10 +399,26 @@ tdb_off_t tdb_expand_adjust(tdb_off_t map_size, tdb_off_t
size, int page_size)
} else {
new_size = map_size * 1.25;
}
+ if (new_size < map_size) {
+ goto overflow;
+ }
/* Round the database up to a multiple of the page size */
new_size = MAX(top_size, new_size);
+
+ if (new_size + page_size < new_size) {
+ /* There's a "+" in TDB_ALIGN that might overflow... */
+ goto overflow;
+ }
+
return TDB_ALIGN(new_size, page_size) - map_size;
+
+overflow:
+ /*
+ * Somewhere in between we went over 4GB. Make one big jump to
+ * exactly 4GB database size.
+ */
+ return max_size;
}
/* expand the database at least size bytes by expanding the underlying
@@ -380,6 +427,7 @@ int tdb_expand(struct tdb_context *tdb, tdb_off_t size)
{
struct tdb_record rec;
tdb_off_t offset;
+ tdb_off_t new_size;
if (tdb_lock(tdb, -1, F_WRLCK) == -1) {
TDB_LOG((tdb, TDB_DEBUG_ERROR, "lock failed in tdb_expand\n"));
@@ -391,10 +439,12 @@ int tdb_expand(struct tdb_context *tdb, tdb_off_t size)
size = tdb_expand_adjust(tdb->map_size, size, tdb->page_size);
- /* expand the file itself */
- if (!(tdb->flags & TDB_INTERNAL)) {
- if (tdb->methods->tdb_expand_file(tdb, tdb->map_size, size) !=
0)
- goto fail;
+ if (!tdb_add_off_t(tdb->map_size, size, &new_size)) {
+ tdb->ecode = TDB_ERR_OOM;
+ TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_expand "
+ "overflow detected current map_size[%u] size[%u]!\n",
+ (unsigned)tdb->map_size, (unsigned)size));
+ goto fail;
}
/* form a new freelist record */
@@ -403,18 +453,30 @@ int tdb_expand(struct tdb_context *tdb, tdb_off_t size)
rec.rec_len = size - sizeof(rec);
if (tdb->flags & TDB_INTERNAL) {
- char *new_map_ptr = (char *)realloc(tdb->map_ptr,
- tdb->map_size + size);
+ char *new_map_ptr;
+
+ new_map_ptr = (char *)realloc(tdb->map_ptr, new_size);
if (!new_map_ptr) {
+ tdb->ecode = TDB_ERR_OOM;
goto fail;
}
tdb->map_ptr = new_map_ptr;
- tdb->map_size += size;
+ tdb->map_size = new_size;
} else {
+ int ret;
+
+ /*
+ * expand the file itself
+ */
+ ret = tdb->methods->tdb_expand_file(tdb, tdb->map_size, size);
+ if (ret != 0) {
+ goto fail;
+ }
+
/* Explicitly remap: if we're in a transaction, this won't
* happen automatically! */
tdb_munmap(tdb);
- tdb->map_size += size;
+ tdb->map_size = new_size;
if (tdb_mmap(tdb) != 0) {
goto fail;
}
diff --git a/lib/tdb/common/tdb.c b/lib/tdb/common/tdb.c
index a2ae187..6256a05 100644
--- a/lib/tdb/common/tdb.c
+++ b/lib/tdb/common/tdb.c
@@ -1000,6 +1000,17 @@ bool tdb_write_all(int fd, const void *buf, size_t count)
return true;
}
+bool tdb_add_off_t(tdb_off_t a, tdb_off_t b, tdb_off_t *pret)
+{
+ tdb_off_t ret = a + b;
+
+ if ((ret < a) || (ret < b)) {
+ return false;
+ }
+ *pret = ret;
+ return true;
+}
+
#ifdef TDB_TRACE
static void tdb_trace_write(struct tdb_context *tdb, const char *str)
{
diff --git a/lib/tdb/common/tdb_private.h b/lib/tdb/common/tdb_private.h
index 406fc5f..ce92188 100644
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -282,4 +282,8 @@ void tdb_header_hash(struct tdb_context *tdb,
uint32_t *magic1_hash, uint32_t *magic2_hash);
unsigned int tdb_old_hash(TDB_DATA *key);
size_t tdb_dead_space(struct tdb_context *tdb, tdb_off_t off);
+bool tdb_add_off_t(tdb_off_t a, tdb_off_t b, tdb_off_t *pret);
+
+/* tdb_off_t and tdb_len_t right now are both uint32_t */
+#define tdb_add_len_t tdb_add_off_t
#endif /* TDB_PRIVATE_H */
diff --git a/lib/tdb/common/transaction.c b/lib/tdb/common/transaction.c
index 81cfd16..a2c3bbd 100644
--- a/lib/tdb/common/transaction.c
+++ b/lib/tdb/common/transaction.c
@@ -630,28 +630,37 @@ _PUBLIC_ int tdb_transaction_cancel(struct tdb_context
*tdb)
/*
work out how much space the linearised recovery data will consume
*/
-static tdb_len_t tdb_recovery_size(struct tdb_context *tdb)
+static bool tdb_recovery_size(struct tdb_context *tdb, tdb_len_t *result)
{
tdb_len_t recovery_size = 0;
int i;
recovery_size = sizeof(uint32_t);
for (i=0;i<tdb->transaction->num_blocks;i++) {
+ tdb_len_t block_size;
if (i * tdb->transaction->block_size >=
tdb->transaction->old_map_size) {
break;
}
if (tdb->transaction->blocks[i] == NULL) {
continue;
}
- recovery_size += 2*sizeof(tdb_off_t);
+ if (!tdb_add_len_t(recovery_size, 2*sizeof(tdb_off_t),
+ &recovery_size)) {
+ return false;
+ }
if (i == tdb->transaction->num_blocks-1) {
- recovery_size += tdb->transaction->last_block_size;
+ block_size = tdb->transaction->last_block_size;
} else {
- recovery_size += tdb->transaction->block_size;
+ block_size = tdb->transaction->block_size;
+ }
+ if (!tdb_add_len_t(recovery_size, block_size,
+ &recovery_size)) {
+ return false;
}
}
- return recovery_size;
+ *result = recovery_size;
+ return true;
}
int tdb_recovery_area(struct tdb_context *tdb,
@@ -700,7 +709,11 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
return -1;
}
- *recovery_size = tdb_recovery_size(tdb);
+ if (!tdb_recovery_size(tdb, recovery_size)) {
+ TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: "
+ "overflow recovery size\n"));
+ return -1;
+ }
/* Existing recovery area? */
if (recovery_head != 0 && *recovery_size <= rec.rec_len) {
@@ -728,7 +741,12 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
/* the tdb_free() call might have increased
* the recovery size */
- *recovery_size = tdb_recovery_size(tdb);
+ if (!tdb_recovery_size(tdb, recovery_size)) {
+ TDB_LOG((tdb, TDB_DEBUG_FATAL,
+ "tdb_recovery_allocate: "
+ "overflow recovery size\n"));
+ return -1;
+ }
}
/* New head will be at end of file. */
@@ -744,7 +762,12 @@ static int tdb_recovery_allocate(struct tdb_context *tdb,
tdb->page_size)
- sizeof(rec);
- new_end = recovery_head + sizeof(rec) + *recovery_max_size;
+ if (!tdb_add_off_t(recovery_head, sizeof(rec), &new_end) ||
+ !tdb_add_off_t(new_end, *recovery_max_size, &new_end)) {
+ TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: "
+ "overflow recovery area\n"));
+ return -1;
+ }
if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size,
new_end - tdb->transaction->old_map_size)
--
Samba Shared Repository
