From ac4c203bfb4c3ebe48a08ef695ee462ba9b5e2c7 Mon Sep 17 00:00:00 2001 From: Nithya Balachandran Date: Fri, 27 Jun 2014 16:28:52 +0530 Subject: Glusterfs/posix: Stack corruption in posix_handle_pump posix_handle_pump can corrupt the stack if the buffer passed to it is too small to hold the final path. Fix : Check if the buffer is sufficiently large to hold the new path component before modifying it. This will prevent the buffer overrun but the path returned will most likely have too many symbolic links causing subsequent file ops to fail with ELOOP. The callers of this function do not currently check the return value. The code needs to be modified to have all callers check the return value and take appropriate action in case of an error. Change-Id: I6d9589195a4b0d971a107514ded6e97381e5982e BUG: 1113960 Signed-off-by: Nithya Balachandran Reviewed-on: http://review.gluster.org/8189 Tested-by: Gluster Build System Reviewed-by: Raghavendra G Reviewed-by: Pranith Kumar Karampuri Tested-by: Pranith Kumar Karampuri --- xlators/storage/posix/src/posix-handle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'xlators/storage/posix') diff --git a/xlators/storage/posix/src/posix-handle.c b/xlators/storage/posix/src/posix-handle.c index ab202d79dc9..7ab654316ee 100644 --- a/xlators/storage/posix/src/posix-handle.c +++ b/xlators/storage/posix/src/posix-handle.c @@ -295,13 +295,16 @@ posix_handle_pump (xlator_t *this, char *buf, int len, int maxlen, } blen = link_len - 48; + + if(len + blen >= maxlen) + goto err; + memmove (buf + base_len + blen, buf + base_len, (strlen (buf) - base_len) + 1); strncpy (base_str + pfx_len, linkname + 6, 42); - if (len + blen < maxlen) - strncpy (buf + pfx_len, linkname + 6, link_len - 6); + strncpy (buf + pfx_len, linkname + 6, link_len - 6); out: return len + blen; err: -- cgit