From patchwork Fri Jun 7 13:05:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Wilck X-Patchwork-Id: 10981667 X-Patchwork-Delegate: christophe.varoqui@free.fr Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 47E7E14E5 for ; Fri, 7 Jun 2019 13:09:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 363C928857 for ; Fri, 7 Jun 2019 13:09:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2ABE628947; Fri, 7 Jun 2019 13:09:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C934128857 for ; Fri, 7 Jun 2019 13:09:21 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D43B430F1BC8; Fri, 7 Jun 2019 13:09:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ACD828386C; Fri, 7 Jun 2019 13:09:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E2481206D5; Fri, 7 Jun 2019 13:09:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x57D6rVM000387 for ; Fri, 7 Jun 2019 09:06:55 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9E48D7FE94; Fri, 7 Jun 2019 13:06:53 +0000 (UTC) Delivered-To: dm-devel@redhat.com Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.45]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 957C97FE8D; Fri, 7 Jun 2019 13:06:51 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E4C4630001E1; Fri, 7 Jun 2019 13:06:33 +0000 (UTC) Received: from apollon.suse.de.de (prva10-snat226-2.provo.novell.com [137.65.226.36]) by smtp2.provo.novell.com with ESMTP (TLS encrypted); Fri, 07 Jun 2019 07:06:24 -0600 From: Martin Wilck To: Christophe Varoqui , Benjamin Marzinski Date: Fri, 7 Jun 2019 15:05:36 +0200 Message-Id: <20190607130552.13203-15-mwilck@suse.com> In-Reply-To: <20190607130552.13203-1-mwilck@suse.com> References: <20190607130552.13203-1-mwilck@suse.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Fri, 07 Jun 2019 13:06:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Fri, 07 Jun 2019 13:06:41 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'mwilck@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.45 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: dm-devel@redhat.com Cc: dm-devel@redhat.com, Martin Wilck Subject: [dm-devel] [PATCH 14/30] libmultipath: fix parsing of VPD 83 type 1 (T10 vendor ID) X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Fri, 07 Jun 2019 13:09:21 +0000 (UTC) X-Virus-Scanned: ClamAV using ClamSMTP In the buffer overflow case, the code would set p_len = out_len - len - 2, then len = len + plen = out_len - 2, and check if len >= out_len - 1, which is never the case. Rather, set p_len = out_len - len -1, and check the length again before appending the underscore. Fixes: 18176202e75c "Read wwid from sysfs vpg_pg83 attribute" Signed-off-by: Martin Wilck --- libmultipath/discovery.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c index 407e64a0..f360e306 100644 --- a/libmultipath/discovery.c +++ b/libmultipath/discovery.c @@ -1065,8 +1065,11 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len, p = vpd; while ((p = memchr(vpd, ' ', vpd_len))) { p_len = p - vpd; - if (len + p_len > out_len - 1) - p_len = out_len - len - 2; + if (len + p_len > out_len - 1) { + condlog(1, "%s: WWID overflow, type 1, %d/%lu bytes required", + __func__, len + p_len, out_len); + p_len = out_len - len - 1; + } memcpy(out + len, vpd, p_len); len += p_len; if (len >= out_len - 1) { @@ -1075,6 +1078,10 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len, } out[len] = '_'; len ++; + if (len >= out_len - 1) { + out[len] = '\0'; + break; + } vpd = p; vpd_len -= p_len; while (vpd && *vpd == ' ') {