[4/4] multipath: Fix a potential buffer overflow

Message ID	1497382123.4654.48.camel@suse.com (mailing list archive)
State	Not Applicable, archived
Delegated to:	Mike Snitzer
Headers	show Return-Path: <dm-devel-bounces@redhat.com> DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0A09F12016 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 61AEDD598D Message-ID: <1497382123.4654.48.camel@suse.com> From: Martin Wilck <mwilck@suse.com> To: Bart Van Assche <bart.vanassche@sandisk.com>, Christophe Varoqui <christophe.varoqui@opensvc.com> Date: Tue, 13 Jun 2017 21:28:43 +0200 In-Reply-To: <20170613163339.23005-5-bart.vanassche@sandisk.com> References: <20170613163339.23005-1-bart.vanassche@sandisk.com> <20170613163339.23005-5-bart.vanassche@sandisk.com> Mime-Version: 1.0 Cc: dm-devel@redhat.com Subject: Re: [dm-devel] [PATCH 4/4] multipath: Fix a potential buffer overflow Precedence: junk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com

Message ID

1497382123.4654.48.camel@suse.com (mailing list archive)

State

Not Applicable, archived

Delegated to:

Mike Snitzer

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0A09F12016
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 61AEDD598D
Message-ID: <1497382123.4654.48.camel@suse.com>
From: Martin Wilck <mwilck@suse.com>
To: Bart Van Assche <bart.vanassche@sandisk.com>, Christophe Varoqui
	<christophe.varoqui@opensvc.com>
Date: Tue, 13 Jun 2017 21:28:43 +0200
In-Reply-To: <20170613163339.23005-5-bart.vanassche@sandisk.com>
References: <20170613163339.23005-1-bart.vanassche@sandisk.com>
	<20170613163339.23005-5-bart.vanassche@sandisk.com>
Mime-Version: 1.0
Cc: dm-devel@redhat.com
Subject: Re: [dm-devel] [PATCH 4/4] multipath: Fix a potential buffer
	overflow
Precedence: junk
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dm-devel-bounces@redhat.com
Errors-To: dm-devel-bounces@redhat.com

Commit Message

Martin Wilck June 13, 2017, 7:28 p.m. UTC

Hi Bart,

On Tue, 2017-06-13 at 09:33 -0700, Bart Van Assche wrote:
> Avoid that gcc 7 reports the following warning:
> 
> cli_handlers.c:1340:18: warning: '%d' directive writing between 1 and
> 3 bytes into a region of size 2 [-Wformat-overflow=]
>   sprintf(*reply,"%d",mpp->prflag);
> 
> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
> ---
>  multipathd/cli_handlers.c | 14 ++++++--------
>  1 file changed, 6 insertions(+), 8 deletions(-)
> 
> diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
> index 04c73866..460fea1f 100644
> --- a/multipathd/cli_handlers.c
> +++ b/multipathd/cli_handlers.c
> @@ -1,6 +1,9 @@
>  /*
>   * Copyright (c) 2005 Christophe Varoqui
>   */
> +
> +#define _GNU_SOURCE
> +
>  #include "checkers.h"
>  #include "memory.h"
>  #include "vector.h"
> @@ -1332,14 +1335,9 @@ cli_getprstatus (void * v, char ** reply, int
> * len, void * data)
>  
>  	condlog(3, "%s: prflag = %u", param, (unsigned int)mpp-
> >prflag);
>  
> -	*reply =(char *)malloc(2);
> -	*len = 2;
> -	memset(*reply,0,2);
> -
> -
> -	sprintf(*reply,"%d",mpp->prflag);
> -	(*reply)[1]='\0';
> -
> +	*len = asprintf(reply, "%d", mpp->prflag);
> +	if (*len < 0)
> +		return 1;
>  
>  	condlog(3, "%s: reply = %s", param, *reply);
>  

how about this simpler patch, as prflag is actually a boolean?

Comments

Bart Van Assche June 13, 2017, 7:53 p.m. UTC | #1

On 06/13/17 12:29, Martin Wilck wrote:
> how about this simpler patch, as prflag is actually a boolean?
> 
> diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
> index 04c73866..c31ebd34 100644
> --- a/multipathd/cli_handlers.c
> +++ b/multipathd/cli_handlers.c
> @@ -1337,7 +1337,7 @@ cli_getprstatus (void * v, char ** reply, int * len, void * data)
>         memset(*reply,0,2);
>  
>  
> -       sprintf(*reply,"%d",mpp->prflag);
> +       sprintf(*reply, "%d", !!mpp->prflag);
>         (*reply)[1]='\0';

Hello Martin,

Every sprintf() call requires careful analysis to see whether or not it
triggers a buffer overflow. I really would like to get rid of that
sprintf() call.

Thanks,

Bart.

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Martin Wilck June 13, 2017, 8:18 p.m. UTC | #2

On Tue, 2017-06-13 at 12:53 -0700, Bart Van Assche wrote:
> On 06/13/17 12:29, Martin Wilck wrote:
> > how about this simpler patch, as prflag is actually a boolean?
> > 
> > diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
> > index 04c73866..c31ebd34 100644
> > --- a/multipathd/cli_handlers.c
> > +++ b/multipathd/cli_handlers.c
> > @@ -1337,7 +1337,7 @@ cli_getprstatus (void * v, char ** reply, int
> > * len, void * data)
> >         memset(*reply,0,2);
> >  
> >  
> > -       sprintf(*reply,"%d",mpp->prflag);
> > +       sprintf(*reply, "%d", !!mpp->prflag);
> >         (*reply)[1]='\0';
> 
> Hello Martin,
> 
> Every sprintf() call requires careful analysis to see whether or not
> it
> triggers a buffer overflow. I really would like to get rid of that
> sprintf() call.

Then we could write

	snprintf(*reply, 2, "%d", !!mpp->prflag);
  
without needing _GNU_SOURCE.

Martin

Bart Van Assche June 13, 2017, 8:21 p.m. UTC | #3

On 06/13/17 13:18, Martin Wilck wrote:
> On Tue, 2017-06-13 at 12:53 -0700, Bart Van Assche wrote:
>> On 06/13/17 12:29, Martin Wilck wrote:
>>> how about this simpler patch, as prflag is actually a boolean?
>>>
>>> diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
>>> index 04c73866..c31ebd34 100644
>>> --- a/multipathd/cli_handlers.c
>>> +++ b/multipathd/cli_handlers.c
>>> @@ -1337,7 +1337,7 @@ cli_getprstatus (void * v, char ** reply, int
>>> * len, void * data)
>>>         memset(*reply,0,2);
>>>  
>>>  
>>> -       sprintf(*reply,"%d",mpp->prflag);
>>> +       sprintf(*reply, "%d", !!mpp->prflag);
>>>         (*reply)[1]='\0';
>>
>> Hello Martin,
>>
>> Every sprintf() call requires careful analysis to see whether or not
>> it
>> triggers a buffer overflow. I really would like to get rid of that
>> sprintf() call.
> 
> Then we could write
> 
> 	snprintf(*reply, 2, "%d", !!mpp->prflag);
>   
> without needing _GNU_SOURCE.

Hello Martin,

There are already three other multipath-tools source files that #define
_GNU_SOURCE so I don't see what's wrong with using _GNU_SOURCE.

Bart.

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Martin Wilck June 13, 2017, 8:35 p.m. UTC | #4

Hello Bart,

On Tue, 2017-06-13 at 13:21 -0700, Bart Van Assche wrote:
> 
> > > Hello Martin,
> > > 
> > > Every sprintf() call requires careful analysis to see whether or
> > > not
> > > it
> > > triggers a buffer overflow. I really would like to get rid of
> > > that
> > > sprintf() call.
> > 
> > Then we could write
> > 
> > 	snprintf(*reply, 2, "%d", !!mpp->prflag);
> >   
> > without needing _GNU_SOURCE.
> 
> Hello Martin,
> 
> There are already three other multipath-tools source files that
> #define
> _GNU_SOURCE so I don't see what's wrong with using _GNU_SOURCE.

Yes, I saw that. I haven't reviewed the reason why _GNU_SOURCE is used
in the other places. In general it's a thing I'd rather avoid for
portability reasons.
In this particular case, I think the problem at hand be easily solved
without resorting to _GNU_SOURCE.

But well, it's not a thing worth fighting about. May Christophe decide.

Martin

diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
index 04c73866..c31ebd34 100644
--- a/multipathd/cli_handlers.c
+++ b/multipathd/cli_handlers.c
@@ -1337,7 +1337,7 @@  cli_getprstatus (void * v, char ** reply, int * len, void * data)
        memset(*reply,0,2);
 
 
-       sprintf(*reply,"%d",mpp->prflag);
+       sprintf(*reply, "%d", !!mpp->prflag);
        (*reply)[1]='\0';

[4/4] multipath: Fix a potential buffer overflow

Commit Message

Comments

Patch