Add boundary test for number of mirror devs and logs

As atoi may return negative value - test for both limits. Test log_args for limits before calling alloca(). Code from dmeventd mirror plugin should probably share same code as we have in mirrored.c.
2025-02-24 17:57:48 +03:00 · 2012-02-08 11:29:13 +00:00 · 2012-02-08 11:29:13 +00:00 · b63b775143
commit b63b775143
parent ebc9abf6c0
2 changed files with 8 additions and 5 deletions
--- a/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
+++ b/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2011 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2005-2012 Red Hat, Inc. All rights reserved.
 *
 * This file is part of LVM2.
 *
@ -18,6 +18,7 @@
 #include "errors.h"
 #include "libdevmapper-event.h"
 #include "dmeventd_lvm.h"
+#include "defaults.h"

 #include <syslog.h> /* FIXME Replace syslog with multilog */
 /* FIXME Missing openlog? */
@ -81,7 +82,8 @@ static int _get_mirror_event(char *params)
 	if (!dm_split_words(params, 1, 0, &p))
 		goto out_parse;

-	if (!(num_devs = atoi(p)))
+	if (!(num_devs = atoi(p)) ||
+	    (num_devs > DEFAULT_MIRROR_MAX_IMAGES) || (num_devs < 0))
 		goto out_parse;
 	p += strlen(p) + 1;

@ -90,6 +92,7 @@ static int _get_mirror_event(char *params)
 	if (!args || dm_split_words(p, num_devs + 7, 0, args) < num_devs + 5)
 		goto out_parse;

+	/* FIXME: Code differs from lib/mirror/mirrored.c */
 	dev_status_str = args[2 + num_devs];
 	log_argc = atoi(args[3 + num_devs]);
 	log_status_str = args[3 + num_devs + log_argc];
--- a/lib/mirror/mirrored.c
+++ b/lib/mirror/mirrored.c
@ -248,7 +248,7 @@ static int _mirrored_transient_status(struct lv_segment *seg, char *params)

 	p += strlen(p) + 1;

-	if (num_devs > DEFAULT_MIRROR_MAX_IMAGES) {
+	if (num_devs > DEFAULT_MIRROR_MAX_IMAGES || num_devs < 0) {
 		log_error("Unexpectedly many (%d) mirror images in %s.",
 			  num_devs, lv->name);
 		return_0;
@ -261,14 +261,14 @@ static int _mirrored_transient_status(struct lv_segment *seg, char *params)
 		return_0;

 	log_argc = atoi(args[3 + num_devs]);
-	log_args = alloca(log_argc * sizeof(char *));

-	if (log_argc > 16) {
+	if (log_argc > 16 || log_argc < 0) {
 		log_error("Unexpectedly many (%d) log arguments in %s.",
 			  log_argc, lv->name);
 		return_0;
 	}

+	log_args = alloca(log_argc * sizeof(char *));

 	if (dm_split_words(args[3 + num_devs] + strlen(args[3 + num_devs]) + 1,
 			   log_argc, 0, log_args) < log_argc)