libmpathpersist(coverity): range checking for PRIN length
authorMartin Wilck <mwilck@suse.com>
Tue, 8 Jan 2019 22:54:07 +0000 (23:54 +0100)
committerChristophe Varoqui <christophe.varoqui@opensvc.com>
Sat, 19 Jan 2019 10:51:56 +0000 (11:51 +0100)
Signed-off-by: Martin Wilck <mwilck@suse.com>
libmpathpersist/mpath_pr_ioctl.c

index c4f4ccd..cf528fe 100644 (file)
@@ -211,7 +211,8 @@ void mpath_format_readfullstatus(struct prin_resp *pr_buff, int len, int noisy)
        unsigned char *p;
        char  *ppbuff;
        uint32_t additional_length;
-
+       char tempbuff[MPATH_MAX_PARAM_LEN];
+       struct prin_fulldescr fdesc;
 
        convert_be32_to_cpu(&pr_buff->prin_descriptor.prin_readfd.prgeneration);
        convert_be32_to_cpu(&pr_buff->prin_descriptor.prin_readfd.number_of_descriptor);
@@ -223,9 +224,12 @@ void mpath_format_readfullstatus(struct prin_resp *pr_buff, int len, int noisy)
        }
 
        additional_length = pr_buff->prin_descriptor.prin_readfd.number_of_descriptor;
+       if (additional_length > MPATH_MAX_PARAM_LEN) {
+               condlog(3, "PRIN length %u exceeds max length %d", additional_length,
+                       MPATH_MAX_PARAM_LEN);
+               return;
+       }
 
-       char tempbuff[MPATH_MAX_PARAM_LEN];
-       struct prin_fulldescr fdesc;
        memset(&fdesc, 0, sizeof(struct prin_fulldescr));
 
        memcpy( tempbuff, pr_buff->prin_descriptor.prin_readfd.private_buffer,MPATH_MAX_PARAM_LEN );