multipathd: check for command overflow

Message ID	1661793425-25103-1-git-send-email-bmarzins@redhat.com (mailing list archive)
State	Not Applicable, archived
Delegated to:	Mike Snitzer
Headers	show Return-Path: <dm-devel-bounces@redhat.com> From: Benjamin Marzinski <bmarzins@redhat.com> To: Christophe Varoqui <christophe.varoqui@opensvc.com> Date: Mon, 29 Aug 2022 12:17:05 -0500 Message-Id: <1661793425-25103-1-git-send-email-bmarzins@redhat.com> Subject: [dm-devel] [PATCH] multipathd: check for command overflow Precedence: list Cc: device-mapper development <dm-devel@redhat.com>, Martin Wilck <Martin.Wilck@suse.com> MIME-Version: 1.0 Errors-To: dm-devel-bounces@redhat.com Sender: "dm-devel" <dm-devel-bounces@redhat.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	multipathd: check for command overflow \| expand multipathd: check for command overflow

Message ID

1661793425-25103-1-git-send-email-bmarzins@redhat.com (mailing list archive)

State

Not Applicable, archived

Delegated to:

Mike Snitzer

Headers

From: Benjamin Marzinski <bmarzins@redhat.com>
To: Christophe Varoqui <christophe.varoqui@opensvc.com>
Date: Mon, 29 Aug 2022 12:17:05 -0500
Message-Id: <1661793425-25103-1-git-send-email-bmarzins@redhat.com>
Subject: [dm-devel] [PATCH] multipathd: check for command overflow
Precedence: list
Cc: device-mapper development <dm-devel@redhat.com>,
 Martin Wilck <Martin.Wilck@suse.com>
MIME-Version: 1.0
Errors-To: dm-devel-bounces@redhat.com
Sender: "dm-devel" <dm-devel-bounces@redhat.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

multipathd: check for command overflow | expand

Commit Message

Benjamin Marzinski Aug. 29, 2022, 5:17 p.m. UTC

The code to build the command string calls snprintf() in a loop, adding
the return value to the start pointer, c. Since snprintf() can return
more characters than it actually printed if it runs out of space, c can
end up pointing past the end of the command string buffer on sebsequent
loops.  Since the size argument to snprintf() is unsigned, after an
overflow it will be a huge number, instead of a negative one, meaning
that it will continue printing past the end of the buffer. Check for
overflow after each snprintf() to avoid this.

Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
---
 multipathd/main.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Martin Wilck Aug. 30, 2022, 7:30 p.m. UTC | #1

On Mon, 2022-08-29 at 12:17 -0500, Benjamin Marzinski wrote:
> The code to build the command string calls snprintf() in a loop,
> adding
> the return value to the start pointer, c. Since snprintf() can return
> more characters than it actually printed if it runs out of space, c
> can
> end up pointing past the end of the command string buffer on
> sebsequent
> loops.  Since the size argument to snprintf() is unsigned, after an
> overflow it will be a huge number, instead of a negative one, meaning
> that it will continue printing past the end of the buffer. Check for
> overflow after each snprintf() to avoid this.
> 
> Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>

Reviewed-by: Martin Wilck <mwilck@suse.com>

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

diff --git a/multipathd/main.c b/multipathd/main.c
index 5a408945..1032fb2a 100644
--- a/multipathd/main.c
+++ b/multipathd/main.c
@@ -3707,6 +3707,10 @@  main (int argc, char *argv[])
 					c += snprintf(c, s + CMDSIZE - c,
 						      "%s ", argv[optind]);
 				optind++;
+				if (c >= s + CMDSIZE) {
+					fprintf(stderr, "multipathd command too large\n");
+					exit(1);
+				}
 			}
 			c += snprintf(c, s + CMDSIZE - c, "\n");
 		}

multipathd: check for command overflow

Commit Message

Comments

Patch