On Fri, 2018-09-21 at 18:05 -0500, Benjamin Marzinski wrote:
> When get_vpd_sgio() finds out that the vpd info needed to be
> truncated
> to fit in the buffer, it doesn't trucate the size as well, which
> allows
> it to overwrite the buffer. Also, in once len is set to -ENODATA,
> get_vpd_sgio() should exit, instead of using the negative len in
> memcpy(). Found by coverity.
>
> Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx>
Reviewed-by: Martin Wilck <mwilck@xxxxxxxx>
> ---
> libmultipath/discovery.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
> index 0b1855d..3e0db7f 100644
> --- a/libmultipath/discovery.c
> +++ b/libmultipath/discovery.c
> @@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int
> maxlen)
> return -ENODATA;
> }
> buff_len = get_unaligned_be16(&buff[2]) + 4;
> - if (buff_len > 4096)
> + if (buff_len > 4096) {
> condlog(3, "vpd pg%02x page truncated", pg);
> -
> + buff_len = 4096;
> + }
> if (pg == 0x80)
> len = parse_vpd_pg80(buff, str, maxlen);
> else if (pg == 0x83)
> len = parse_vpd_pg83(buff, buff_len, str, maxlen);
> else if (pg == 0xc9 && maxlen >= 8) {
> - len = buff_len < 8 ? -ENODATA :
> - (buff_len <= maxlen ? buff_len : maxlen);
> - memcpy (str, buff, len);
> + if (buff_len < 8)
> + len = -ENODATA;
> + else {
> + len = (buff_len <= maxlen)? buff_len : maxlen;
> + memcpy (str, buff, len);
> + }
> } else
> len = -ENOSYS;
>
--
Dr. Martin Wilck <mwilck@xxxxxxxx>, Tel. +49 (0)911 74053 2107
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
