rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0605-Coverity-Fix-copy-into-fixed-size-buffer-CID-1325542.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   4ae7a0419cbe594e6fd3bd994e2080b23c923551
  2.   SOURCES
  3.   0605-Coverity-Fix-copy-into-fixed-size-buffer-CID-1325542.patch
Blob History Raw
d2787b 
From 25fc2530f7ee6d7267e2ccc1b75a47a3ae539dff Mon Sep 17 00:00:00 2001
d2787b 
From: karthik-us <ksubrahm@redhat.com>
d2787b 
Date: Thu, 7 Oct 2021 21:29:27 +0530
d2787b 
Subject: [PATCH 605/610] Coverity: Fix copy into fixed size buffer (CID:
d2787b 
 1325542)
d2787b
d2787b 
Problem:
d2787b 
In __mnt3_fresh_lookup() mres->resolveloc.path is being copied into
d2787b 
a fixed size string mres->remainingdir, with strncpy without checking
d2787b 
the size of the source string. This could lead to string overflow.
d2787b
d2787b 
Fix:
d2787b 
Copy only till the destination string length and check whether the
d2787b 
soruce string overflows. If so log an error message and return.
d2787b
d2787b 
> Upstream patch: https://github.com/gluster/glusterfs/pull/2474/
d2787b 
> Change-Id: I26dd0653d2636c667ad4e356d12d3d51956c77c3
d2787b 
> Signed-off-by: karthik-us <ksubrahm@redhat.com>
d2787b 
> Updates: gluster#1060
d2787b
d2787b 
BUG: 1997447
d2787b 
Change-Id: I26dd0653d2636c667ad4e356d12d3d51956c77c3
d2787b 
Signed-off-by: karthik-us <ksubrahm@redhat.com>
d2787b 
Reviewed-on: https://code.engineering.redhat.com/gerrit/c/rhs-glusterfs/+/280106
d2787b 
Tested-by: RHGS Build Bot <nigelb@redhat.com>
d2787b 
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
d2787b 
---
d2787b 
 xlators/nfs/server/src/mount3.c | 9 +++++++--
d2787b 
 1 file changed, 7 insertions(+), 2 deletions(-)
d2787b
d2787b 
diff --git a/xlators/nfs/server/src/mount3.c b/xlators/nfs/server/src/mount3.c
d2787b 
index 734453c..3951b9e 100644
d2787b 
--- a/xlators/nfs/server/src/mount3.c
d2787b 
+++ b/xlators/nfs/server/src/mount3.c
d2787b 
@@ -1104,8 +1104,13 @@ __mnt3_fresh_lookup(mnt3_resolve_t *mres)
d2787b 
 {
d2787b 
     inode_unlink(mres->resolveloc.inode, mres->resolveloc.parent,
d2787b 
                  mres->resolveloc.name);
d2787b 
-    strncpy(mres->remainingdir, mres->resolveloc.path,
d2787b 
-            strlen(mres->resolveloc.path));
d2787b 
+    if (snprintf(mres->remainingdir, sizeof(mres->remainingdir), "%s",
d2787b 
+                 mres->resolveloc.path) >= sizeof(mres->remainingdir)) {
d2787b 
+        gf_msg(GF_MNT, GF_LOG_ERROR, EFAULT, NFS_MSG_RESOLVE_INODE_FAIL,
d2787b 
+               "Failed to copy resolve path: %s", mres->resolveloc.path);
d2787b 
+        nfs_loc_wipe(&mres->resolveloc);
d2787b 
+        return -EFAULT;
d2787b 
+    }
d2787b 
     nfs_loc_wipe(&mres->resolveloc);
d2787b 
     return __mnt3_resolve_subdir(mres);
d2787b 
 }
d2787b 
--
d2787b 
1.8.3.1
d2787b

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation