|
 |
d1681e |
From 1aa17a84422024a4941843474b58f78827b9d2c9 Mon Sep 17 00:00:00 2001
|
|
|
d1681e |
From: Amar Tumballi <amarts@redhat.com>
|
|
|
d1681e |
Date: Tue, 24 Jul 2018 13:25:12 +0530
|
|
|
d1681e |
Subject: [PATCH 336/351] dict: handle negative key/value length while
|
|
|
d1681e |
unserialize
|
|
|
d1681e |
|
|
|
d1681e |
BUG: 1607407
|
|
|
d1681e |
Change-Id: Ie56df0da46c242846a1ba51ccb9e011af118b119
|
|
|
d1681e |
Signed-off-by: Amar Tumballi <amarts@redhat.com>
|
|
|
d1681e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/145895
|
|
|
d1681e |
Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
|
|
|
d1681e |
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
d1681e |
Tested-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
d1681e |
---
|
|
|
d1681e |
libglusterfs/src/dict.c | 3 ++-
|
|
|
d1681e |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
d1681e |
|
|
|
d1681e |
diff --git a/libglusterfs/src/dict.c b/libglusterfs/src/dict.c
|
|
|
d1681e |
index 36d91a7..40458ca 100644
|
|
|
d1681e |
--- a/libglusterfs/src/dict.c
|
|
|
d1681e |
+++ b/libglusterfs/src/dict.c
|
|
|
d1681e |
@@ -3003,7 +3003,8 @@ dict_unserialize (char *orig_buf, int32_t size, dict_t **fill)
|
|
|
d1681e |
vallen = ntoh32 (hostord);
|
|
|
d1681e |
buf += DICT_DATA_HDR_VAL_LEN;
|
|
|
d1681e |
|
|
|
d1681e |
- if ((buf + keylen) > (orig_buf + size)) {
|
|
|
d1681e |
+ if ((keylen < 0) || (vallen < 0) ||
|
|
|
d1681e |
+ (buf + keylen) > (orig_buf + size)) {
|
|
|
d1681e |
gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
|
|
|
d1681e |
LG_MSG_UNDERSIZED_BUF,
|
|
|
d1681e |
"undersized buffer passed. "
|
|
|
d1681e |
--
|
|
|
d1681e |
1.8.3.1
|
|
|
d1681e |
|