From b2925e78a54e1aab7e2a06d40127c59cc922cf1b Mon Sep 17 00:00:00 2001
From: Amar Tumballi <amar@gluster.com>
Date: Fri, 13 Aug 2010 05:58:51 +0000
Subject: cli cmd validation

* check buffer/stack overwrite if there is large number of argument to
  gluster command

Signed-off-by: Amar Tumballi <amar@gluster.com>
Signed-off-by: Anand V. Avati <avati@dev.gluster.com>

BUG: 1265 ()
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=1265
---
 cli/src/cli-cmd-parser.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/cli/src/cli-cmd-parser.c b/cli/src/cli-cmd-parser.c
index c3bfc5f54..3d843680d 100644
--- a/cli/src/cli-cmd-parser.c
+++ b/cli/src/cli-cmd-parser.c
@@ -45,7 +45,8 @@ cli_cmd_volume_create_parse (const char **words, int wordcount, dict_t **options
         gf1_cluster_type type = GF_CLUSTER_TYPE_NONE;
         int     count = 0;
         int     brick_count = 0, brick_index = 0;
-        char    brick_list[8192] = {0,};
+        int     brick_list_size = 1;
+        char    brick_list[120000] = {0,};
 
         GF_ASSERT (words);
         GF_ASSERT (options);
@@ -116,9 +117,16 @@ cli_cmd_volume_create_parse (const char **words, int wordcount, dict_t **options
                         ret = -1;
                         goto out;
                 }
-
+                if ((brick_list_size + strlen (words[brick_index]) + 1) > 120000) {
+                        gf_log ("cli", GF_LOG_ERROR,
+                                "total brick list is larger than a request "
+                                "can take (brick_count %d)", brick_count);
+                        ret = -1;
+                        goto out;
+                }
                 strcat (brick_list, words[brick_index]);
                 strcat (brick_list, " ");
+                brick_list_size += (strlen (words[brick_index]) + 1);
                 ++brick_count;
                 ++brick_index;
                 /*
@@ -130,6 +138,7 @@ cli_cmd_volume_create_parse (const char **words, int wordcount, dict_t **options
                         goto out;
                 */
         }
+
         ret = dict_set_str (dict, "bricks", brick_list);
         if (ret)
                 goto out;
@@ -231,7 +240,8 @@ cli_cmd_volume_add_brick_parse (const char **words, int wordcount,
         int     count = 0;
         //char    key[50] = {0,};
         int     brick_count = 0, brick_index = 0;
-        char    brick_list[8192] = {0,};
+        int     brick_list_size = 1;
+        char    brick_list[120000] = {0,};
 
         GF_ASSERT (words);
         GF_ASSERT (options);
@@ -274,9 +284,17 @@ cli_cmd_volume_add_brick_parse (const char **words, int wordcount,
                         ret = -1;
                         goto out;
                 }
+                if ((brick_list_size + strlen (words[brick_index]) + 1) > 120000) {
+                        gf_log ("cli", GF_LOG_ERROR,
+                                "total brick list is larger than a request "
+                                "can take (brick_count %d)", brick_count);
+                        ret = -1;
+                        goto out;
+                }
 
                 strcat (brick_list, words[brick_index]);
                 strcat (brick_list, " ");
+                brick_list_size += (strlen (words[brick_index]) + 1);
                 ++brick_count;
                 ++brick_index;
                 /*
-- 
cgit