From e2c195712a9ecbda4fa02f5308138a1257a2558a Mon Sep 17 00:00:00 2001
From: Ravishankar N <ravishankar@redhat.com>
Date: Mon, 8 Oct 2018 11:04:14 +0530
Subject: features/locks: add buffer overflow checks in pl_getxattr

Problem:
A compromised client can send a variable length buffer value for the
GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the
size of the "key" used to send the response back, locks xlator can
segfault when it tries to do a dict_set because of the buffer overflow
in strncpy of pl_getxattr().

Fix:
Perform size checks while forming the 'key'.

Note:
This fix is already there in the master branch upstream as a part of the
commit 052849983e51a061d7fb2c3ffd74fa78bb257084 (https://review.gluster.org/#/c/glusterfs/+/20933/)
This patch just picks the code change needed to fix the vulnerability.

Fixes: CVE-2018-14652
fixes: bz#1645363
Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
---
 xlators/features/locks/src/posix.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c
index 57753dac588..bf1c97bdbcc 100644
--- a/xlators/features/locks/src/posix.c
+++ b/xlators/features/locks/src/posix.c
@@ -1092,7 +1092,10 @@ pl_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
                 goto out;
         }
 
-        strncpy (key, name, strlen (name));
+        if (snprintf(key, sizeof(key), "%s", name) >= sizeof(key)) {
+                op_ret = -1;
+                goto out;
+        }
         if (dict_set_dynstr (dict, key, lk_summary)) {
                 op_ret = -1;
                 op_errno = ENOMEM;
-- 
cgit