diff options
author | Santosh Kumar Pradhan <spradhan@redhat.com> | 2014-05-09 15:01:19 +0530 |
---|---|---|
committer | Anand Avati <avati@redhat.com> | 2014-05-17 11:56:01 -0700 |
commit | 1dd80a2e7762bc72d11a432a1ebd16be181dcb86 (patch) | |
tree | 3eb57d084579d7d294cd2329181b00bda8f1a2a5 /rpc | |
parent | f4944449940ee08d8add767ba81cd5ca8f8611a5 (diff) |
rpcsvc: Validate RPC procedure number before fetch
While accessing the procedures of given RPC program in,
rpcsvc_get_program_vector_sizer(), It was not checking boundary
conditions which would cause buffer overflow and subsequently SEGV.
Make sure rpcsvc_actor_t arrays have numactors number of actors.
FIX:
Validate the RPC procedure number before fetching the actor.
Special Thanks to: Murray Ketchion, Grant Byers
Change-Id: I8b5abd406d47fab8fca65b3beb73cdfe8cd85b72
BUG: 1096020
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-on: http://review.gluster.org/7726
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Anand Avati <avati@redhat.com>
Diffstat (limited to 'rpc')
-rw-r--r-- | rpc/rpc-lib/src/rpcsvc.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc.c b/rpc/rpc-lib/src/rpcsvc.c index be9f9a861f0..c443a2e6a10 100644 --- a/rpc/rpc-lib/src/rpcsvc.c +++ b/rpc/rpc-lib/src/rpcsvc.c @@ -117,6 +117,7 @@ rpcsvc_get_program_vector_sizer (rpcsvc_t *svc, uint32_t prognum, pthread_mutex_lock (&svc->rpclock); { + /* Find the matching RPC program from registered list */ list_for_each_entry (program, &svc->programs, program) { if ((program->prognum == prognum) && (program->progver == progver)) { @@ -127,10 +128,20 @@ rpcsvc_get_program_vector_sizer (rpcsvc_t *svc, uint32_t prognum, } pthread_mutex_unlock (&svc->rpclock); - if (found) + if (found) { + /* Make sure the requested procnum is supported by RPC prog */ + if ((procnum < 0) || (procnum >= program->numactors)) { + gf_log (GF_RPCSVC, GF_LOG_ERROR, + "RPC procedure %d not available for Program %s", + procnum, program->progname); + return NULL; + } + + /* SUCCESS: Supported procedure */ return program->actors[procnum].vector_sizer; - else - return NULL; + } + + return NULL; /* FAIL */ } gf_boolean_t @@ -2608,11 +2619,10 @@ out: } -rpcsvc_actor_t gluster_dump_actors[] = { +rpcsvc_actor_t gluster_dump_actors[GF_DUMP_MAXVALUE] = { [GF_DUMP_NULL] = {"NULL", GF_DUMP_NULL, NULL, NULL, 0, DRC_NA}, [GF_DUMP_DUMP] = {"DUMP", GF_DUMP_DUMP, rpcsvc_dump, NULL, 0, DRC_NA}, [GF_DUMP_PING] = {"PING", GF_DUMP_PING, rpcsvc_ping, NULL, 0, DRC_NA}, - [GF_DUMP_MAXVALUE] = {"MAXVALUE", GF_DUMP_MAXVALUE, NULL, NULL, 0, DRC_NA}, }; @@ -2621,5 +2631,5 @@ struct rpcsvc_program gluster_dump_prog = { .prognum = GLUSTER_DUMP_PROGRAM, .progver = GLUSTER_DUMP_VERSION, .actors = gluster_dump_actors, - .numactors = sizeof (gluster_dump_actors) / sizeof (gluster_dump_actors[0]) - 1, + .numactors = GF_DUMP_MAXVALUE, }; |