shaba/lvm2
1
0
Fork 0
mirror of git://sourceware.org/git/lvm2.git synced 2025-01-09 01:18:39 +03:00
Code Releases Activity

Do not write to -1 buffer address

Browse Source 
In case of zero bytes would be read from sysfs, it would store '\0' on
temp_buf[-1] address.

Simplify some buffer length calculation and use strcpy if we've just
checked string fits in give buffer.

Replace jump label error: with bad: commonly used in libdm.
This commit is contained in:
Zdenek Kabelac 2012-02-13 10:49:28 +00:00
parent 193c832d12
commit 7cf73cbc1f
2 changed files with 26 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
WHATS_NEW_DM
View File

@ -1,5 +1,6 @@
Version 1.02.71 - Version 1.02.71 -
==================================== ====================================
Fix potential risk of writing in front of buffer in _sysfs_get_dm_name().
Version 1.02.70 - 12th February 2012 Version 1.02.70 - 12th February 2012
==================================== ====================================

50
libdm/libdm-common.c
View File

@ -1191,19 +1191,18 @@ static int _sysfs_get_dm_name(uint32_t major, uint32_t minor, char *buf, size_t
char *sysfs_path, *temp_buf; char *sysfs_path, *temp_buf;
FILE *fp = NULL; FILE *fp = NULL;
int r = 0; int r = 0;
size_t len;
if (!(sysfs_path = dm_malloc(PATH_MAX)) || if (!(sysfs_path = dm_malloc(PATH_MAX)) ||
!(temp_buf = dm_malloc(PATH_MAX))) { !(temp_buf = dm_malloc(PATH_MAX))) {
log_error("_sysfs_get_dm_name: failed to allocate temporary buffers"); log_error("_sysfs_get_dm_name: failed to allocate temporary buffers");
if (sysfs_path) goto bad;
dm_free(sysfs_path);
return 0;
} }
if (dm_snprintf(sysfs_path, PATH_MAX, "%sdev/block/%" PRIu32 ":%" PRIu32 if (dm_snprintf(sysfs_path, PATH_MAX, "%sdev/block/%" PRIu32 ":%" PRIu32
"/dm/name", _sysfs_dir, major, minor) < 0) { "/dm/name", _sysfs_dir, major, minor) < 0) {
log_error("_sysfs_get_dm_name: dm_snprintf failed"); log_error("_sysfs_get_dm_name: dm_snprintf failed");
goto error; goto bad;
} }
if (!(fp = fopen(sysfs_path, "r"))) { if (!(fp = fopen(sysfs_path, "r"))) {
@ -1211,23 +1210,25 @@ static int _sysfs_get_dm_name(uint32_t major, uint32_t minor, char *buf, size_t
log_sys_error("fopen", sysfs_path); log_sys_error("fopen", sysfs_path);
else else
log_sys_debug("fopen", sysfs_path); log_sys_debug("fopen", sysfs_path);
goto error; goto bad;
} }
if (!fgets(temp_buf, PATH_MAX, fp)) { if (!fgets(temp_buf, PATH_MAX, fp)) {
log_sys_error("fgets", sysfs_path); log_sys_error("fgets", sysfs_path);
goto error; goto bad;
} }
temp_buf[strlen(temp_buf) - 1] = '\0';
if (buf_size < strlen(temp_buf) + 1) { len = strlen(temp_buf);
if (len > buf_size) {
log_error("_sysfs_get_dm_name: supplied buffer too small"); log_error("_sysfs_get_dm_name: supplied buffer too small");
goto error; goto bad;
} }
strncpy(buf, temp_buf, buf_size); temp_buf[len ? len - 1 : 0] = '\0'; /* \n */
strcpy(buf, temp_buf);
r = 1; r = 1;
error: bad:
if (fp && fclose(fp)) if (fp && fclose(fp))
log_sys_error("fclose", sysfs_path); log_sys_error("fclose", sysfs_path);
@ -1241,19 +1242,19 @@ static int _sysfs_get_kernel_name(uint32_t major, uint32_t minor, char *buf, siz
{ {
char *sysfs_path, *temp_buf, *name; char *sysfs_path, *temp_buf, *name;
ssize_t size; ssize_t size;
size_t len;
int r = 0;
if (!(sysfs_path = dm_malloc(PATH_MAX)) || if (!(sysfs_path = dm_malloc(PATH_MAX)) ||
!(temp_buf = dm_malloc(PATH_MAX))) { !(temp_buf = dm_malloc(PATH_MAX))) {
log_error("_sysfs_get_kernel_name: failed to allocate temporary buffers"); log_error("_sysfs_get_kernel_name: failed to allocate temporary buffers");
if (sysfs_path) goto bad;
dm_free(sysfs_path);
return 0;
} }
if (dm_snprintf(sysfs_path, PATH_MAX, "%sdev/block/%" PRIu32 ":%" PRIu32, if (dm_snprintf(sysfs_path, PATH_MAX, "%sdev/block/%" PRIu32 ":%" PRIu32,
_sysfs_dir, major, minor) < 0) { _sysfs_dir, major, minor) < 0) {
log_error("_sysfs_get_kernel_name: dm_snprintf failed"); log_error("_sysfs_get_kernel_name: dm_snprintf failed");
goto error; goto bad;
} }
if ((size = readlink(sysfs_path, temp_buf, PATH_MAX - 1)) < 0) { if ((size = readlink(sysfs_path, temp_buf, PATH_MAX - 1)) < 0) {
@ -1261,30 +1262,29 @@ static int _sysfs_get_kernel_name(uint32_t major, uint32_t minor, char *buf, siz
log_sys_error("readlink", sysfs_path); log_sys_error("readlink", sysfs_path);
else else
log_sys_debug("readlink", sysfs_path); log_sys_debug("readlink", sysfs_path);
goto error; goto bad;
} }
temp_buf[size] = '\0'; temp_buf[size] = '\0';
if (!(name = strrchr(temp_buf, '/'))) { if (!(name = strrchr(temp_buf, '/'))) {
log_error("Could not locate device kernel name in sysfs path %s", temp_buf); log_error("Could not locate device kernel name in sysfs path %s", temp_buf);
goto error; goto bad;
} }
name += 1; name += 1;
len = size - (name - temp_buf) + 1;
if (buf_size < strlen(name) + 1) { if (len > buf_size) {
log_error("_sysfs_get_kernel_name: output buffer too small"); log_error("_sysfs_get_kernel_name: output buffer too small");
goto error; goto bad;
} }
strncpy(buf, name, buf_size); strcpy(buf, name);
r = 1;
bad:
dm_free(sysfs_path); dm_free(sysfs_path);
dm_free(temp_buf); dm_free(temp_buf);
return 1;
error: return r;
dm_free(sysfs_path);
dm_free(temp_buf);
return 0;
} }
int dm_device_get_name(uint32_t major, uint32_t minor, int prefer_kernel_name, int dm_device_get_name(uint32_t major, uint32_t minor, int prefer_kernel_name,