50 lines
1.4 KiB
Diff
50 lines
1.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Marzinski <bmarzins@redhat.com>
|
|
Date: Thu, 16 May 2019 13:31:35 -0500
|
|
Subject: [PATCH] multipathd: fix REALLOC_REPLY with max length reply
|
|
|
|
Commit cd5a9797e added code to REALLOC_REPLY() that intended to stop
|
|
growing the reply buffer after it reached a maximum size. However this
|
|
coded didn't stop the realloc() from happening. Worse, if the realloci()
|
|
failed, multipathd would double free the reply buffer. Found by
|
|
Coverity.
|
|
|
|
Fixes: cd5a9797e "libmpathcmd(coverity): limit reply length"
|
|
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
|
|
---
|
|
multipathd/cli.h | 17 +++++++++--------
|
|
1 file changed, 9 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/multipathd/cli.h b/multipathd/cli.h
|
|
index f3fa077..32dcffa 100644
|
|
--- a/multipathd/cli.h
|
|
+++ b/multipathd/cli.h
|
|
@@ -100,15 +100,16 @@ enum {
|
|
if (m >= MAX_REPLY_LEN) { \
|
|
condlog(1, "Warning: max reply length exceeded"); \
|
|
free(tmp); \
|
|
- r = NULL; \
|
|
+ (r) = NULL; \
|
|
+ } else { \
|
|
+ (r) = REALLOC((r), (m) * 2); \
|
|
+ if ((r)) { \
|
|
+ memset((r) + (m), 0, (m)); \
|
|
+ (m) *= 2; \
|
|
+ } \
|
|
+ else \
|
|
+ free(tmp); \
|
|
} \
|
|
- (r) = REALLOC((r), (m) * 2); \
|
|
- if ((r)) { \
|
|
- memset((r) + (m), 0, (m)); \
|
|
- (m) *= 2; \
|
|
- } \
|
|
- else \
|
|
- free(tmp); \
|
|
} \
|
|
} while (0)
|
|
|
|
--
|
|
2.17.2
|
|
|