summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRavishankar N <ravishankar@redhat.com>2018-10-08 11:04:14 +0530
committerRavishankar N <ravishankar@redhat.com>2018-11-02 10:14:53 +0530
commite2c195712a9ecbda4fa02f5308138a1257a2558a (patch)
tree5ecbcdcdd4b296a9ee23e7613bef106017188c2c
parentbc453a0075c1305be18cc64440e35a86624daed4 (diff)
features/locks: add buffer overflow checks in pl_getxattr
Problem: A compromised client can send a variable length buffer value for the GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the size of the "key" used to send the response back, locks xlator can segfault when it tries to do a dict_set because of the buffer overflow in strncpy of pl_getxattr(). Fix: Perform size checks while forming the 'key'. Note: This fix is already there in the master branch upstream as a part of the commit 052849983e51a061d7fb2c3ffd74fa78bb257084 (https://review.gluster.org/#/c/glusterfs/+/20933/) This patch just picks the code change needed to fix the vulnerability. Fixes: CVE-2018-14652 fixes: bz#1645363 Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2 Signed-off-by: Ravishankar N <ravishankar@redhat.com>
-rw-r--r--xlators/features/locks/src/posix.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c
index 57753dac588..bf1c97bdbcc 100644
--- a/xlators/features/locks/src/posix.c
+++ b/xlators/features/locks/src/posix.c
@@ -1092,7 +1092,10 @@ pl_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
goto out;
}
- strncpy (key, name, strlen (name));
+ if (snprintf(key, sizeof(key), "%s", name) >= sizeof(key)) {
+ op_ret = -1;
+ goto out;
+ }
if (dict_set_dynstr (dict, key, lk_summary)) {
op_ret = -1;
op_errno = ENOMEM;