3ec0ebefcd
- Update Source to latest upstream commit
* Previous patches 0001-0011 are included in this commit
- Rename files
* Previous patches 0012-0019 are now patches 0021-0028
- Add 0001-libmultipath-fix-tur-checker-timeout.patch
- Add 0002-libmultipath-fix-tur-checker-double-locking.patch
- Add 0003-libmultipath-fix-tur-memory-misuse.patch
- Add 0004-libmultipath-cleanup-tur-locking.patch
- Add 0005-libmultipath-fix-tur-checker-timeout-issue.patch
* The above 5 patches cleanup locking issues with the
tur checker threads
- Add 0006-libmultipath-fix-set_int-error-path.patch
- Add 0007-libmultipath-fix-length-issues-in-get_vpd_sgio.patch
- Add 0008-libmultipath-_install_keyword-cleanup.patch
- Add 0009-libmultipath-remove-unused-code.patch
- Add 0010-libmultipath-fix-memory-issue-in-path_latency-prio.patch
- Add 0011-libmultipath-fix-null-dereference-int-alloc_path_gro.patch
- Add 0012-libmutipath-don-t-use-malformed-uevents.patch
- Add 0013-multipath-fix-max-array-size-in-print_cmd_valid.patch
- Add 0014-multipathd-function-return-value-tweaks.patch
- Add 0015-multipathd-minor-fixes.patch
- Add 0016-multipathd-remove-useless-check-and-fix-format.patch
- Add 0017-multipathd-fix-memory-leak-on-error-in-configure.patch
* The above 12 patches fix minor issues found by coverity
- Add 0018-libmultipath-Don-t-blank-intialized-paths.patch
- Add 0019-libmultipath-Fixup-updating-paths.patch
* Fix issues with paths whose wwid was not set or later changes
- Add 0020-multipath-tweak-logging-style.patch
* multipathd interactive commands now send errors to stderr, instead
of syslog
* The above 20 patches have been submitted upstream
51 lines
1.5 KiB
Diff
51 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Marzinski <bmarzins@redhat.com>
|
|
Date: Fri, 27 Jul 2018 15:36:01 -0500
|
|
Subject: [PATCH] libmultipath: fix length issues in get_vpd_sgio
|
|
|
|
When get_vpd_sgio() finds out that the vpd info needed to be truncated
|
|
to fit in the buffer, it doesn't trucate the size as well, which allows
|
|
it to overwrite the buffer. Also, in once len is set to -ENODATA,
|
|
get_vpd_sgio() should exit, instead of using the negative len in
|
|
memcpy(). Found by coverity.
|
|
|
|
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
|
|
---
|
|
libmultipath/discovery.c | 14 +++++++++-----
|
|
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
|
|
index 0b1855d..3e0db7f 100644
|
|
--- a/libmultipath/discovery.c
|
|
+++ b/libmultipath/discovery.c
|
|
@@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int maxlen)
|
|
return -ENODATA;
|
|
}
|
|
buff_len = get_unaligned_be16(&buff[2]) + 4;
|
|
- if (buff_len > 4096)
|
|
+ if (buff_len > 4096) {
|
|
condlog(3, "vpd pg%02x page truncated", pg);
|
|
-
|
|
+ buff_len = 4096;
|
|
+ }
|
|
if (pg == 0x80)
|
|
len = parse_vpd_pg80(buff, str, maxlen);
|
|
else if (pg == 0x83)
|
|
len = parse_vpd_pg83(buff, buff_len, str, maxlen);
|
|
else if (pg == 0xc9 && maxlen >= 8) {
|
|
- len = buff_len < 8 ? -ENODATA :
|
|
- (buff_len <= maxlen ? buff_len : maxlen);
|
|
- memcpy (str, buff, len);
|
|
+ if (buff_len < 8)
|
|
+ len = -ENODATA;
|
|
+ else {
|
|
+ len = (buff_len <= maxlen)? buff_len : maxlen;
|
|
+ memcpy (str, buff, len);
|
|
+ }
|
|
} else
|
|
len = -ENOSYS;
|
|
|
|
--
|
|
2.7.4
|
|
|