Hi Alex,

On 14/03/2018 9:14 AM, Alex Menkov wrote:
Hi all,

Please review a small fix for
webrev: http://cr.openjdk.java.net/~amenkov/shmem_long_name/webrev_open/

Root cause of the issue is jbd hungs as a result of the buffer overflow.

In the beginning of the shmemBase.c:

#define MAX_IPC_PREFIX 50   /* user-specified or generated name for */
                            /* shared memory seg and prefix for other IPC */
#define MAX_IPC_SUFFIX 25   /* suffix to shmem name for other IPC names */

buffer (char prefix[]) in function createStream is used to generate base name for mutex/events, so MAX_IPC_PREFIX is not big enough.

Good catch! But overall this code seems to be missing bounds checks everywhere. You made the "prefix" (poor name?) buffer bigger (MAX_IPC_NAME) but do we know the incoming name plus the appended descriptive string will fit in it?

Looking at createTransport for example, it also has:

char prefix[MAX_IPC_PREFIX];

and it produces an error if

strlen(address) >= MAX_IPC_PREFIX

but otherwise copies it across:

strcpy(transport->name, address);

and then later does:

 sprintf(prefix, "%s.mutex", transport->name);

so we may have overflowed again by adding ".mutex"! The same goes for the subsequent sprintf's.

So I think there is more work to do to ensure this code is immune from buffer overflows.



Reply via email to