From 40efa03c9a35f3a06260bb7a8d678c9198c5cc34 Mon Sep 17 00:00:00 2001 From: Kotresh HR Date: Tue, 20 Jun 2017 06:26:18 -0400 Subject: [PATCH 524/525] feature/changelog: Fix buffer overflow crash The buffer used to hold the basename was hard coded to the size of NAME_MAX(255). It might lead to buffer overflow crashes when the basename which is sent is more than NAME_MAX length. Fixed the same. > Change-Id: I6c1cad3ccaeb8c55549b1d3c5f96a198f65ba2b7 > BUG: 1463178 > Signed-off-by: Kotresh HR > Reviewed-on: https://review.gluster.org/17579 > CentOS-regression: Gluster Build System > NetBSD-regression: NetBSD Build System > Smoke: Gluster Build System > Reviewed-by: jiffin tony Thottan Change-Id: I6c1cad3ccaeb8c55549b1d3c5f96a198f65ba2b7 BUG: 1462773 Signed-off-by: Kotresh HR Reviewed-on: https://code.engineering.redhat.com/gerrit/109655 Reviewed-by: Atin Mukherjee --- xlators/features/changelog/src/changelog.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xlators/features/changelog/src/changelog.c b/xlators/features/changelog/src/changelog.c index 8817359..a43436a 100644 --- a/xlators/features/changelog/src/changelog.c +++ b/xlators/features/changelog/src/changelog.c @@ -221,8 +221,8 @@ changelog_unlink (call_frame_t *frame, xlator_t *this, gf_boolean_t barrier_enabled = _gf_false; dht_changelog_rename_info_t *info = NULL; int ret = 0; - char old_name[NAME_MAX] = {0}; - char new_name[NAME_MAX] = {0}; + char *old_name = NULL; + char *new_name = NULL; char *nname = NULL; INIT_LIST_HEAD (&queue); @@ -233,6 +233,8 @@ changelog_unlink (call_frame_t *frame, xlator_t *this, ret = dict_get_bin (xdata, DHT_CHANGELOG_RENAME_OP_KEY, (void **)&info); if (!ret) { /* special case: unlink considered as rename */ /* 3 == fop + oldloc + newloc */ + old_name = alloca (info->oldname_len); + new_name = alloca (info->newname_len); CHANGELOG_INIT_NOCHECK (this, frame->local, NULL, loc->inode->gfid, 3); -- 1.8.3.1