[v3,07/19] libmultipath: fix length issues in get_vpd_sgio

Message ID	1537571127-10143-8-git-send-email-bmarzins@redhat.com (mailing list archive)
State	Not Applicable, archived
Delegated to:	christophe varoqui
Headers	show Return-Path: <dm-devel-bounces@redhat.com> From: "Benjamin Marzinski" <bmarzins@redhat.com> To: device-mapper development <dm-devel@redhat.com> Date: Fri, 21 Sep 2018 18:05:15 -0500 Message-Id: <1537571127-10143-8-git-send-email-bmarzins@redhat.com> In-Reply-To: <1537571127-10143-1-git-send-email-bmarzins@redhat.com> References: <1537571127-10143-1-git-send-email-bmarzins@redhat.com> Cc: Martin Wilck <mwilck@suse.com> Subject: [dm-devel] [PATCH v3 07/19] libmultipath: fix length issues in get_vpd_sgio Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com
Series	Misc Multipath patches \| expand [v3,00/19] Misc Multipath patches [v3,01/19] libmultipath: fix tur checker timeout [v3,02/19] libmultipath: fix tur checker double locking [v3,03/19] libmultipath: fix tur memory misuse [v3,04/19] libmultipath: cleanup tur locking [v3,05/19] libmultipath: fix tur checker timeout issue [v3,06/19] libmultipath: fix set_int error path [v3,07/19] libmultipath: fix length issues in get_vpd_sgio [v3,08/19] libmultipath: _install_keyword cleanup [v3,09/19] libmultipath: remove unused code [v3,10/19] libmultipath: fix memory issue in path_latency prio [v3,11/19] libmultipath: fix null dereference int alloc_path_group [v3,12/19] libmutipath: don't use malformed uevents [v3,13/19] multipath: fix max array size in print_cmd_valid [v3,14/19] multipathd: function return value tweaks [v3,15/19] multipathd: minor fixes [v3,16/19] multipathd: remove useless check and fix format [v3,17/19] multipathd: fix memory leak on error in configure [v3,18/19] libmultipath: Don't blank intialized paths [v3,19/19] libmultipath: Fixup updating paths

Message ID

1537571127-10143-8-git-send-email-bmarzins@redhat.com (mailing list archive)

State

Not Applicable, archived

Delegated to:

christophe varoqui

Headers

From: "Benjamin Marzinski" <bmarzins@redhat.com>
To: device-mapper development <dm-devel@redhat.com>
Date: Fri, 21 Sep 2018 18:05:15 -0500
Message-Id: <1537571127-10143-8-git-send-email-bmarzins@redhat.com>
In-Reply-To: <1537571127-10143-1-git-send-email-bmarzins@redhat.com>
References: <1537571127-10143-1-git-send-email-bmarzins@redhat.com>
Cc: Martin Wilck <mwilck@suse.com>
Subject: [dm-devel] [PATCH v3 07/19] libmultipath: fix length issues in
	get_vpd_sgio
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dm-devel-bounces@redhat.com
Errors-To: dm-devel-bounces@redhat.com

Series

Misc Multipath patches | expand

Commit Message

Benjamin Marzinski Sept. 21, 2018, 11:05 p.m. UTC

When get_vpd_sgio() finds out that the vpd info needed to be truncated
to fit in the buffer, it doesn't trucate the size as well,  which allows
it to overwrite the buffer. Also, in once len is set to -ENODATA,
get_vpd_sgio() should exit, instead of using the negative len in
memcpy(). Found by coverity.

Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
---
 libmultipath/discovery.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Comments

Martin Wilck Oct. 1, 2018, 9:25 p.m. UTC | #1

On Fri, 2018-09-21 at 18:05 -0500, Benjamin Marzinski wrote:
> When get_vpd_sgio() finds out that the vpd info needed to be
> truncated
> to fit in the buffer, it doesn't trucate the size as well,  which
> allows
> it to overwrite the buffer. Also, in once len is set to -ENODATA,
> get_vpd_sgio() should exit, instead of using the negative len in
> memcpy(). Found by coverity.
> 
> Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>

Reviewed-by: Martin Wilck <mwilck@suse.com>


> ---
>  libmultipath/discovery.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
> index 0b1855d..3e0db7f 100644
> --- a/libmultipath/discovery.c
> +++ b/libmultipath/discovery.c
> @@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int
> maxlen)
>  		return -ENODATA;
>  	}
>  	buff_len = get_unaligned_be16(&buff[2]) + 4;
> -	if (buff_len > 4096)
> +	if (buff_len > 4096) {
>  		condlog(3, "vpd pg%02x page truncated", pg);
> -
> +		buff_len = 4096;
> +	}
>  	if (pg == 0x80)
>  		len = parse_vpd_pg80(buff, str, maxlen);
>  	else if (pg == 0x83)
>  		len = parse_vpd_pg83(buff, buff_len, str, maxlen);
>  	else if (pg == 0xc9 && maxlen >= 8) {
> -		len = buff_len < 8 ? -ENODATA :
> -			(buff_len <= maxlen ? buff_len : maxlen);
> -		memcpy (str, buff, len);
> +		if (buff_len < 8)
> +			len = -ENODATA;
> +		else {
> +			len = (buff_len <= maxlen)? buff_len : maxlen;
> +			memcpy (str, buff, len);
> +		}
>  	} else
>  		len = -ENOSYS;
>

diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
index 0b1855d..3e0db7f 100644
--- a/libmultipath/discovery.c
+++ b/libmultipath/discovery.c
@@ -1116,17 +1116,21 @@  get_vpd_sgio (int fd, int pg, char * str, int maxlen)
 		return -ENODATA;
 	}
 	buff_len = get_unaligned_be16(&buff[2]) + 4;
-	if (buff_len > 4096)
+	if (buff_len > 4096) {
 		condlog(3, "vpd pg%02x page truncated", pg);
-
+		buff_len = 4096;
+	}
 	if (pg == 0x80)
 		len = parse_vpd_pg80(buff, str, maxlen);
 	else if (pg == 0x83)
 		len = parse_vpd_pg83(buff, buff_len, str, maxlen);
 	else if (pg == 0xc9 && maxlen >= 8) {
-		len = buff_len < 8 ? -ENODATA :
-			(buff_len <= maxlen ? buff_len : maxlen);
-		memcpy (str, buff, len);
+		if (buff_len < 8)
+			len = -ENODATA;
+		else {
+			len = (buff_len <= maxlen)? buff_len : maxlen;
+			memcpy (str, buff, len);
+		}
 	} else
 		len = -ENOSYS;

[v3,07/19] libmultipath: fix length issues in get_vpd_sgio

Commit Message

Comments

Patch