One of the memcpy(3) callsites in notify_host() uses the size of the
copy target to prevent an overrun of the target buffer. However, the
target is a sockaddr_storage, while the source is never larger than
a sockaddr_in6.
Copying off the end of a sockaddr_in6 returned by getaddrinfo(3) could
potentially cause a segfault if the allocated memory containing the
socket address is near the end of a page, and the next page is
protected.
Introduced by commit 93e355bf.
Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
---
utils/statd/sm-notify.c | 14 ++++++++------
1 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/utils/statd/sm-notify.c b/utils/statd/sm-notify.c
index ea4ce23..1983ef6 100644
--- a/utils/statd/sm-notify.c
+++ b/utils/statd/sm-notify.c
@@ -61,6 +61,7 @@ struct nsm_host {
char * name;
char * path;
struct sockaddr_storage addr;
+ socklen_t addrlen;
struct addrinfo *ai;
time_t last_used;
time_t send_next;
@@ -377,7 +378,6 @@ notify_host(int sock, struct nsm_host *host)
{
struct sockaddr_storage address;
struct sockaddr *dest = (struct sockaddr *)&address;
- socklen_t destlen = sizeof(address);
static unsigned int xid = 0;
uint32_t msgbuf[MAXMSGSIZE], *p;
unsigned int len;
@@ -409,10 +409,11 @@ notify_host(int sock, struct nsm_host *host)
*/
if (host->retries >= 4) {
/* don't rotate if there is only one addrinfo */
- if (host->ai->ai_next == NULL)
+ if (host->ai->ai_next == NULL) {
memcpy(&host->addr, host->ai->ai_addr,
host->ai->ai_addrlen);
- else {
+ host->addrlen = host->ai->ai_addrlen;
+ } else {
struct addrinfo *first = host->ai;
struct addrinfo **next = &host->ai;
@@ -427,13 +428,14 @@ notify_host(int sock, struct nsm_host *host)
*next = first;
memcpy(&host->addr, first->ai_addr,
first->ai_addrlen);
+ host->addrlen = host->ai->ai_addrlen;
}
nfs_set_port((struct sockaddr *)&host->addr, 0);
host->retries = 0;
}
- memcpy(dest, &host->addr, destlen);
+ memcpy(dest, &host->addr, host->addrlen);
if (nfs_get_port(dest) == 0) {
/* Build a PMAP packet */
xlog(D_GENERAL, "Sending portmap query to %s", host->name);
@@ -472,10 +474,10 @@ notify_host(int sock, struct nsm_host *host)
}
len = (p - msgbuf) << 2;
- if (sendto(sock, msgbuf, len, 0, dest, destlen) < 0)
+ if (sendto(sock, msgbuf, len, 0, dest, host->addrlen) < 0)
xlog_warn("Sending Reboot Notification to "
"'%s' failed: errno %d (%m)", host->name, errno);
-
+
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
