[PATCH 1/2] cmap: Check input param name_t length

Jan Friesse <jfriesse@xxxxxxxxxx> · Wed, 8 Aug 2012 17:05:12 +0200

IPC is using buffer of CS_MAX_NAME_LENGTH for name. If user calls
function with longer string, such string can be passed to service
incomplete.

Solution is to not allow string larger then CS_MAX_NAME_LENGTH (what is
same as ICMAP_KEYNAME_MAXLEN) and return error.

Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
 lib/cmap.c |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/lib/cmap.c b/lib/cmap.c
index bfe7d6e..6333295 100644
--- a/lib/cmap.c
+++ b/lib/cmap.c
@@ -361,6 +361,10 @@ cs_error_t cmap_set (
 		return (CS_ERR_INVALID_PARAM);
 	}
 
+	if (strlen(key_name) >= CS_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
+
 	error = hdb_error_to_cs(hdb_handle_get (&cmap_handle_t_db, handle, (void *)&cmap_inst));
 	if (error != CS_OK) {
 		return (error);
@@ -468,6 +472,9 @@ cs_error_t cmap_delete(cmap_handle_t handle, const char *key_name)
 	if (key_name == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
+	if (strlen(key_name) >= CS_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 
 	error = hdb_error_to_cs(hdb_handle_get (&cmap_handle_t_db, handle, (void *)&cmap_inst));
 	if (error != CS_OK) {
@@ -517,6 +524,9 @@ cs_error_t cmap_get(
 	if (key_name == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
+	if (strlen(key_name) >= CS_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 
 	error = hdb_error_to_cs(hdb_handle_get (&cmap_handle_t_db, handle, (void *)&cmap_inst));
 	if (error != CS_OK) {
@@ -714,6 +724,9 @@ static cs_error_t cmap_adjust_int(cmap_handle_t handle, const char *key_name, in
 	if (key_name == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
+	if (strlen(key_name) >= CS_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 
 	error = hdb_error_to_cs(hdb_handle_get (&cmap_handle_t_db, handle, (void *)&cmap_inst));
 	if (error != CS_OK) {
@@ -781,6 +794,9 @@ cs_error_t cmap_iter_init(
 	req_lib_cmap_iter_init.header.id = MESSAGE_REQ_CMAP_ITER_INIT;
 
 	if (prefix) {
+		if (strlen(prefix) >= CS_MAX_NAME_LENGTH) {
+			return (CS_ERR_NAME_TOO_LONG);
+		}
 		memcpy(req_lib_cmap_iter_init.prefix.value, prefix, strlen(prefix));
 		req_lib_cmap_iter_init.prefix.length = strlen(prefix);
 	}
@@ -943,6 +959,9 @@ cs_error_t cmap_track_add(
 	req_lib_cmap_track_add.header.id = MESSAGE_REQ_CMAP_TRACK_ADD;
 
 	if (key_name) {
+		if (strlen(key_name) >= CS_MAX_NAME_LENGTH) {
+			return (CS_ERR_NAME_TOO_LONG);
+		}
 		memcpy(req_lib_cmap_track_add.key_name.value, key_name, strlen(key_name));
 		req_lib_cmap_track_add.key_name.length = strlen(key_name);
 	}
-- 
1.7.1

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss





