diff options
| author | Ravishankar N <ravishankar@redhat.com> | 2018-10-08 11:04:14 +0530 |
|---|---|---|
| committer | Ravishankar N <ravishankar@redhat.com> | 2018-11-02 10:14:53 +0530 |
| commit | e2c195712a9ecbda4fa02f5308138a1257a2558a (patch) | |
| tree | 5ecbcdcdd4b296a9ee23e7613bef106017188c2c | |
| parent | bc453a0075c1305be18cc64440e35a86624daed4 (diff) | |
features/locks: add buffer overflow checks in pl_getxattr
Problem:
A compromised client can send a variable length buffer value for the
GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the
size of the "key" used to send the response back, locks xlator can
segfault when it tries to do a dict_set because of the buffer overflow
in strncpy of pl_getxattr().
Fix:
Perform size checks while forming the 'key'.
Note:
This fix is already there in the master branch upstream as a part of the
commit 052849983e51a061d7fb2c3ffd74fa78bb257084 (https://review.gluster.org/#/c/glusterfs/+/20933/)
This patch just picks the code change needed to fix the vulnerability.
Fixes: CVE-2018-14652
fixes: bz#1645363
Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
| -rw-r--r-- | xlators/features/locks/src/posix.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c index 57753dac588..bf1c97bdbcc 100644 --- a/xlators/features/locks/src/posix.c +++ b/xlators/features/locks/src/posix.c @@ -1092,7 +1092,10 @@ pl_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc, goto out; } - strncpy (key, name, strlen (name)); + if (snprintf(key, sizeof(key), "%s", name) >= sizeof(key)) { + op_ret = -1; + goto out; + } if (dict_set_dynstr (dict, key, lk_summary)) { op_ret = -1; op_errno = ENOMEM; |