This is the mail archive of the
cluster-cvs@sourceware.org
mailing list for the cluster.
master - ccsais: fix buffer overflow when reading huge config files
- From: "Fabio M. Di Nitto" <fabbione at fedoraproject dot org>
- To: cluster-cvs-relay at redhat dot com
- Date: Wed, 29 Oct 2008 08:09:58 +0000 (UTC)
- Subject: master - ccsais: fix buffer overflow when reading huge config files
Gitweb: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=67fee9128e54c6c3fc3eae306b5b501f3029c3be
Commit: 67fee9128e54c6c3fc3eae306b5b501f3029c3be
Parent: 74577abb0191939a47bacf1453390c937346a08c
Author: Fabio M. Di Nitto <fdinitto@redhat.com>
AuthorDate: Wed Oct 29 09:07:33 2008 +0100
Committer: Fabio M. Di Nitto <fdinitto@redhat.com>
CommitterDate: Wed Oct 29 09:07:33 2008 +0100
ccsais: fix buffer overflow when reading huge config files
it was possible to overflow a buffer when adding more than 52 entries
within the same xml block:
<block>
<entry1...
<entry2...
....
<entry53.. <-
</block>
fix the overflow by increasing the limit to 1024 and fail to start if
we hit the limit.
Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
---
config/plugins/ccsais/config.c | 19 ++++++++++++++++---
1 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/config/plugins/ccsais/config.c b/config/plugins/ccsais/config.c
index 6ee1c0b..ad3c40a 100644
--- a/config/plugins/ccsais/config.c
+++ b/config/plugins/ccsais/config.c
@@ -19,6 +19,10 @@
#define CONFIG_VERSION_PATH "/cluster/@config_version"
#define CONFIG_NAME_PATH "/cluster/@name"
+#ifndef MAXXMLNODES
+#define MAXXMLNODES 1024
+#endif
+
static int ccs_readconfig(struct objdb_iface_ver0 *objdb, char **error_string);
static int ccs_reloadconfig(struct objdb_iface_ver0 *objdb, int flush, char **error_string);
static int init_config(struct objdb_iface_ver0 *objdb, char *error_string);
@@ -91,7 +95,7 @@ static int read_config_for(int ccs_fd, struct objdb_iface_ver0 *objdb, unsigned
unsigned int object_handle = 0;
char path[256];
int gotcount = 0;
- char *subkeys[52];
+ char *subkeys[MAXXMLNODES];
int subkeycount = 0;
int i;
@@ -156,6 +160,8 @@ static int read_config_for(int ccs_fd, struct objdb_iface_ver0 *objdb, unsigned
continue;
}
subkeys[subkeycount++] = str;
+ if (subkeycount >= MAXXMLNODES)
+ return -1;
}
for (i=0; i<subkeycount; i++)
@@ -167,11 +173,15 @@ static int read_config_for(int ccs_fd, struct objdb_iface_ver0 *objdb, unsigned
for (;;)
{
char subpath[1024];
+ int res;
/* Found a subkey, iterate through it's sub sections */
sprintf(subpath, "%s/%s[%d]", key, str, ++count);
- if (!read_config_for(ccs_fd, objdb, object_handle, str, subpath, 0))
+ res = read_config_for(ccs_fd, objdb, object_handle, str, subpath, 0);
+ if (!res)
break;
+ if (res < 0)
+ return -1;
}
free(str);
}
@@ -216,7 +226,10 @@ static int init_config(struct objdb_iface_ver0 *objdb, char *error_string)
return -1;
}
- read_config_for(cd, objdb, OBJECT_PARENT_HANDLE, "cluster", "/cluster", 1);
+ if(read_config_for(cd, objdb, OBJECT_PARENT_HANDLE, "cluster", "/cluster", 1) < 0) {
+ strcpy(error_string, "Error: too many nodes within the same XML block\n");
+ return -1;
+ }
ccs_disconnect(cd);
return 0;