From 35791689ba5ef95da45290fd12ce9cff55c86258 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Mon, 12 Dec 2016 20:28:29 +0000 Subject: [PATCH] libdm: use destination size as limit in dm_bit_copy() The dm_bit_copy() macro uses the source (bs1) bitset size as the limit for memcpy: memcpy((bs1) + 1, (bs2) + 1, ((*(bs1) / DM_BITS_PER_INT) + 1)..) This is safe if the destination bitset is smaller than the source, or if the two bitsets are of the same size. With a destination that is larger (e.g. when resizing a bitmap to add more capacity), the memcpy will overrun the source bitset and set garbage bits in the destination. There are nine uses of the macro currently (8 in libdm/regex, and 1 in daemons/cmirrord): in each case the two bitsets are always of equal size so the behaviour is unchanged. Fix the macro to use bs2's size to simplify resizing bitsets and avoid the need for another copy macro. --- libdm/libdevmapper.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libdm/libdevmapper.h b/libdm/libdevmapper.h index bcf784bea..ed46795b9 100644 --- a/libdm/libdevmapper.h +++ b/libdm/libdevmapper.h @@ -2090,7 +2090,7 @@ int dm_bit_get_prev(dm_bitset_t bs, int last_bit); memset((bs) + 1, 0, ((*(bs) / DM_BITS_PER_INT) + 1) * sizeof(int)) #define dm_bit_copy(bs1, bs2) \ - memcpy((bs1) + 1, (bs2) + 1, ((*(bs1) / DM_BITS_PER_INT) + 1) * sizeof(int)) + memcpy((bs1) + 1, (bs2) + 1, ((*(bs2) / DM_BITS_PER_INT) + 1) * sizeof(int)) /* * Parse a string representation of a bitset into a dm_bitset_t. The