[
https://issues.apache.org/jira/browse/YARN-7455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Lowe updated YARN-7455:
-----------------------------
Summary: quote_and_append_arg can overflow buffer (was: add_mounts can
overrun temporary buffer)
The code always uses quote_and_append_arg which takes the dest buffer size as a
limit and checks against it, so we'd be fine as long as quote_and_append_arg
does its job. However quote_and_append_arg doesn't check the sizes properly:
{code}
void quote_and_append_arg(char **str, size_t *size, const char* param, const
char *arg) {
char *tmp = escape_single_quote(arg);
int alloc_block = 1024;
strcat(*str, param);
strcat(*str, "'");
if (strlen(*str) + strlen(tmp) > *size) {
*size = (strlen(*str) + strlen(tmp) + alloc_block) * sizeof(char);
*str = (char *) realloc(*str, *size);
if (*str == NULL) {
exit(OUT_OF_MEMORY);
}
}
strcat(*str, tmp);
strcat(*str, "' ");
{code}
There are a number of problem here:
# The param argument is blindly appended to the destination buffer without
checking if there's room in the buffer.
# There's no buffer size accounting for the prefix and postfix quoting
characters placed around the {{arg}} input string.
# The {{strlen(*str) + strlen(tmp) > size}} has an off-by-one error since it
doesn't account for the terminating NUL character.
In addition to fixing these problems, quote_and_append_arg should return the
size of the destination buffer so callers can properly propagate the new buffer
size when quote_and_append_arg resizes the buffer.
Bonus points for eliminating the many redundant, implicit strlen calls that are
occurring in this function via all the strcat calls. We should only have to
compute the length of the input strings once, and the length of any computed
string can be trivially derived once we know the length of the inputs.
> quote_and_append_arg can overflow buffer
> ----------------------------------------
>
> Key: YARN-7455
> URL: https://issues.apache.org/jira/browse/YARN-7455
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Jason Lowe
>
> While reviewing YARN-7197 I noticed that add_mounts in docker_util.c has a
> potential buffer overflow since tmp_buffer is only 1024 bytes which may not
> be sufficient to hold the specified mount path.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
