diff options
author | Nithya Balachandran <nbalacha@redhat.com> | 2014-06-27 16:28:52 +0530 |
---|---|---|
committer | Pranith Kumar Karampuri <pkarampu@redhat.com> | 2014-12-03 22:12:09 -0800 |
commit | ac4c203bfb4c3ebe48a08ef695ee462ba9b5e2c7 (patch) | |
tree | c2cd11bfca6212257ad67a668d7dee9652321ee8 /xlators/storage | |
parent | 7a352c258d7608cbf105a66de880660d5fa3b850 (diff) |
Glusterfs/posix: Stack corruption in posix_handle_pump
posix_handle_pump can corrupt the stack if the buffer
passed to it is too small to hold the final path.
Fix :
Check if the buffer is sufficiently large to hold the new path
component before modifying it. This will prevent the buffer
overrun but the path returned will most likely have too many symbolic
links causing subsequent file ops to fail with ELOOP.
The callers of this function do not currently check the return value.
The code needs to be modified to have all callers check the return
value and take appropriate action in case of an error.
Change-Id: I6d9589195a4b0d971a107514ded6e97381e5982e
BUG: 1113960
Signed-off-by: Nithya Balachandran <nbalacha@redhat.com>
Reviewed-on: http://review.gluster.org/8189
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
Tested-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
Diffstat (limited to 'xlators/storage')
-rw-r--r-- | xlators/storage/posix/src/posix-handle.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/xlators/storage/posix/src/posix-handle.c b/xlators/storage/posix/src/posix-handle.c index ab202d79dc9..7ab654316ee 100644 --- a/xlators/storage/posix/src/posix-handle.c +++ b/xlators/storage/posix/src/posix-handle.c @@ -295,13 +295,16 @@ posix_handle_pump (xlator_t *this, char *buf, int len, int maxlen, } blen = link_len - 48; + + if(len + blen >= maxlen) + goto err; + memmove (buf + base_len + blen, buf + base_len, (strlen (buf) - base_len) + 1); strncpy (base_str + pfx_len, linkname + 6, 42); - if (len + blen < maxlen) - strncpy (buf + pfx_len, linkname + 6, link_len - 6); + strncpy (buf + pfx_len, linkname + 6, link_len - 6); out: return len + blen; err: |