summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNithya Balachandran <nbalacha@redhat.com>2014-06-27 16:28:52 +0530
committerPranith Kumar Karampuri <pkarampu@redhat.com>2014-12-03 22:12:09 -0800
commitac4c203bfb4c3ebe48a08ef695ee462ba9b5e2c7 (patch)
treec2cd11bfca6212257ad67a668d7dee9652321ee8
parent7a352c258d7608cbf105a66de880660d5fa3b850 (diff)
Glusterfs/posix: Stack corruption in posix_handle_pump
posix_handle_pump can corrupt the stack if the buffer passed to it is too small to hold the final path. Fix : Check if the buffer is sufficiently large to hold the new path component before modifying it. This will prevent the buffer overrun but the path returned will most likely have too many symbolic links causing subsequent file ops to fail with ELOOP. The callers of this function do not currently check the return value. The code needs to be modified to have all callers check the return value and take appropriate action in case of an error. Change-Id: I6d9589195a4b0d971a107514ded6e97381e5982e BUG: 1113960 Signed-off-by: Nithya Balachandran <nbalacha@redhat.com> Reviewed-on: http://review.gluster.org/8189 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Raghavendra G <rgowdapp@redhat.com> Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com> Tested-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
-rw-r--r--xlators/storage/posix/src/posix-handle.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/xlators/storage/posix/src/posix-handle.c b/xlators/storage/posix/src/posix-handle.c
index ab202d79dc9..7ab654316ee 100644
--- a/xlators/storage/posix/src/posix-handle.c
+++ b/xlators/storage/posix/src/posix-handle.c
@@ -295,13 +295,16 @@ posix_handle_pump (xlator_t *this, char *buf, int len, int maxlen,
}
blen = link_len - 48;
+
+ if(len + blen >= maxlen)
+ goto err;
+
memmove (buf + base_len + blen, buf + base_len,
(strlen (buf) - base_len) + 1);
strncpy (base_str + pfx_len, linkname + 6, 42);
- if (len + blen < maxlen)
- strncpy (buf + pfx_len, linkname + 6, link_len - 6);
+ strncpy (buf + pfx_len, linkname + 6, link_len - 6);
out:
return len + blen;
err: