diff options
| author | Emmanuel Dreyfus <manu@netbsd.org> | 2014-11-27 09:13:36 +0100 |
|---|---|---|
| committer | Vijay Bellur <vbellur@redhat.com> | 2014-11-28 08:33:44 -0800 |
| commit | dcbab25710aa60a22708a0de8c41735bfca06d07 (patch) | |
| tree | 7ea318af5b20f56ea80b762e7829cae315cb45cc /xlators/storage/posix/src/posix-helpers.c | |
| parent | c233d3e0414670546c6ff8edc65b761f86353ffc (diff) | |
posix: Fix buffer overrun in _handle_list_xattr()
In _handle_list_xattr() we test remaining_size > 0 to check that
we do not overrun the buffer, but since that variable was unsigned
(size_t), the condition would let us go beyond end of buffer if
remaining_size became negative.
This could happen if attribute list grew between the first
sys_llistxattr() call that gets the size and the second sys_llistxattr()
call that get the data. We fix the problem by making remaining_size
signed (ssize_t). This also matches sys_llistxattr() return type.
While there, we use the size returned by the second sys_llistxattr()
call to parse the buffser, as it may also be smaller than the size
obtained from first call, if attribute list shrank.
This fixes a spurious crash in tests/basic/afr/resolve.t
BUG: 1129939
Change-Id: Ifc5884dd0f39a50bf88aa51fefca8e2fa22ea913
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/9204
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'xlators/storage/posix/src/posix-helpers.c')
| -rw-r--r-- | xlators/storage/posix/src/posix-helpers.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/xlators/storage/posix/src/posix-helpers.c b/xlators/storage/posix/src/posix-helpers.c index 5cf6d210854..62b0d2e10fe 100644 --- a/xlators/storage/posix/src/posix-helpers.c +++ b/xlators/storage/posix/src/posix-helpers.c @@ -580,7 +580,7 @@ _handle_list_xattr (dict_t *xattr_req, const char *real_path, ssize_t size = 0; char *list = NULL; int32_t list_offset = 0; - size_t remaining_size = 0; + ssize_t remaining_size = 0; char *key = NULL; if (!real_path) @@ -594,11 +594,10 @@ _handle_list_xattr (dict_t *xattr_req, const char *real_path, if (!list) goto out; - size = sys_llistxattr (real_path, list, size); - if (size <= 0) + remaining_size = sys_llistxattr (real_path, list, size); + if (remaining_size <= 0) goto out; - remaining_size = size; list_offset = 0; while (remaining_size > 0) { key = list + list_offset; |