diff options
| author | Santosh Kumar Pradhan <spradhan@redhat.com> | 2014-07-03 17:11:44 +0530 |
|---|---|---|
| committer | Niels de Vos <ndevos@redhat.com> | 2014-07-08 03:36:18 -0700 |
| commit | 3d7b19cd1ecd53f0808b07df7c4ac801fd48f3c3 (patch) | |
| tree | 78efa080b5791a2e625e274309d9b2545b2be3a9 /rpc | |
| parent | 828fe8068de0f1357e5c26097e45d752b3f7f6c4 (diff) | |
rpcsvc: Validate RPC procedure number before fetch
While accessing the procedures of given RPC program in,
rpcsvc_get_program_vector_sizer(), It was not checking boundary
conditions which would cause buffer overflow and subsequently SEGV.
Make sure rpcsvc_actor_t arrays have numactors number of actors.
FIX:
Validate the RPC procedure number before fetching the actor.
Upstream main review: http://review.gluster.org/7726
BUG: 1096020
Change-Id: Iaf207ee976cb56fa9a554ec82c9eab36d3b289ed
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-on: http://review.gluster.org/8228
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Diffstat (limited to 'rpc')
| -rw-r--r-- | rpc/rpc-lib/src/rpcsvc.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc.c b/rpc/rpc-lib/src/rpcsvc.c index d6e9ee951c8..11869233c8e 100644 --- a/rpc/rpc-lib/src/rpcsvc.c +++ b/rpc/rpc-lib/src/rpcsvc.c @@ -117,6 +117,7 @@ rpcsvc_get_program_vector_sizer (rpcsvc_t *svc, uint32_t prognum, pthread_mutex_lock (&svc->rpclock); { + /* Find the matching RPC program from registered list */ list_for_each_entry (program, &svc->programs, program) { if ((program->prognum == prognum) && (program->progver == progver)) { @@ -127,10 +128,20 @@ rpcsvc_get_program_vector_sizer (rpcsvc_t *svc, uint32_t prognum, } pthread_mutex_unlock (&svc->rpclock); - if (found) + if (found) { + /* Make sure the requested procnum is supported by RPC prog */ + if (procnum >= program->numactors) { + gf_log (GF_RPCSVC, GF_LOG_ERROR, + "RPC procedure %d not available for Program %s", + procnum, program->progname); + return NULL; + } + + /* SUCCESS: Supported procedure */ return program->actors[procnum].vector_sizer; - else - return NULL; + } + + return NULL; /* FAIL */ } gf_boolean_t @@ -2596,10 +2607,9 @@ out: } -rpcsvc_actor_t gluster_dump_actors[] = { +rpcsvc_actor_t gluster_dump_actors[GF_DUMP_MAXVALUE] = { [GF_DUMP_NULL] = {"NULL", GF_DUMP_NULL, NULL, NULL, 0, DRC_NA}, [GF_DUMP_DUMP] = {"DUMP", GF_DUMP_DUMP, rpcsvc_dump, NULL, 0, DRC_NA}, - [GF_DUMP_MAXVALUE] = {"MAXVALUE", GF_DUMP_MAXVALUE, NULL, NULL, 0, DRC_NA}, }; @@ -2608,5 +2618,5 @@ struct rpcsvc_program gluster_dump_prog = { .prognum = GLUSTER_DUMP_PROGRAM, .progver = GLUSTER_DUMP_VERSION, .actors = gluster_dump_actors, - .numactors = 2, + .numactors = GF_DUMP_MAXVALUE, }; |