[PATCH] multipathd: check for command overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The code to build the command string calls snprintf() in a loop, adding
the return value to the start pointer, c. Since snprintf() can return
more characters than it actually printed if it runs out of space, c can
end up pointing past the end of the command string buffer on sebsequent
loops.  Since the size argument to snprintf() is unsigned, after an
overflow it will be a huge number, instead of a negative one, meaning
that it will continue printing past the end of the buffer. Check for
overflow after each snprintf() to avoid this.

Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx>
---
 multipathd/main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/multipathd/main.c b/multipathd/main.c
index 5a408945..1032fb2a 100644
--- a/multipathd/main.c
+++ b/multipathd/main.c
@@ -3707,6 +3707,10 @@ main (int argc, char *argv[])
 					c += snprintf(c, s + CMDSIZE - c,
 						      "%s ", argv[optind]);
 				optind++;
+				if (c >= s + CMDSIZE) {
+					fprintf(stderr, "multipathd command too large\n");
+					exit(1);
+				}
 			}
 			c += snprintf(c, s + CMDSIZE - c, "\n");
 		}
-- 
2.17.2

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux