summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJim Meyering <meyering@redhat.com>2012-07-03 17:06:46 +0200
committerAnand Avati <avati@redhat.com>2012-07-12 00:27:15 -0700
commitc76b49047aa396c0296a6ba2120e14abc0d27491 (patch)
tree11b2a48b5ffb430f473a194feeb399f768c9d257
parentee480749ee61af01b18ddb37e80a73153c7de92e (diff)
geo-rep: don't let unexpected status provoke undefined behavior
glusterd_gsync_read_frm_status reads what is expected to be a NUL- terminated status string from the specified file, but makes two mistakes when trying to do the favor of trimming trailing spaces. Do not let a leading NUL byte of status cause us to read buf[-1] and possibly to clear that and any preceding "trailing" spaces. Do not let a blen-byte input (with no NUL byte) cause our use of strlen to access beyond the end of non-NUL-terminated buffer. I looked at this code because coverity reported that it was assuming a read-provided buffer to be NUL-terminated. Change-Id: I140be0948e31196e5be08766d4e6400bf6f4dfa1 BUG: 789278 Signed-off-by: Jim Meyering <meyering@redhat.com> Reviewed-on: http://review.gluster.com/3647 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@redhat.com>
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-geo-rep.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-geo-rep.c b/xlators/mgmt/glusterd/src/glusterd-geo-rep.c
index 62122dbc2..901e5e1e6 100644
--- a/xlators/mgmt/glusterd/src/glusterd-geo-rep.c
+++ b/xlators/mgmt/glusterd/src/glusterd-geo-rep.c
@@ -1362,7 +1362,6 @@ glusterd_gsync_read_frm_status (char *path, char *buf, size_t blen)
{
int ret = 0;
int status_fd = -1;
- char *p = NULL;
GF_ASSERT (path);
GF_ASSERT (buf);
@@ -1374,10 +1373,16 @@ glusterd_gsync_read_frm_status (char *path, char *buf, size_t blen)
}
ret = read (status_fd, buf, blen - 1);
if (ret > 0) {
- p = buf + strlen (buf) - 1;
- while (isspace (*p))
- *p-- = '\0';
- ret = 0;
+ size_t len = strnlen (buf, ret);
+ /* Ensure there is a NUL byte and that it's not the first. */
+ if (len == 0 || len == blen - 1) {
+ ret = -1;
+ } else {
+ char *p = buf + len - 1;
+ while (isspace (*p))
+ *p-- = '\0';
+ ret = 0;
+ }
} else if (ret < 0)
gf_log ("", GF_LOG_ERROR, "Status file of gsyncd is corrupt");