libmpathcmd(coverity): limit reply length
authorMartin Wilck <mwilck@suse.com>
Tue, 8 Jan 2019 22:54:03 +0000 (23:54 +0100)
committerChristophe Varoqui <christophe.varoqui@opensvc.com>
Sat, 19 Jan 2019 10:41:41 +0000 (11:41 +0100)
coverity warned about tainted input data.

Signed-off-by: Martin Wilck <mwilck@suse.com>
libmpathcmd/mpath_cmd.c
libmpathcmd/mpath_cmd.h
multipathd/cli.c
multipathd/cli.h
multipathd/cli_handlers.c

index 61e6a98..df4ca54 100644 (file)
@@ -133,6 +133,10 @@ ssize_t mpath_recv_reply_len(int fd, unsigned int timeout)
                errno = EIO;
                return -1;
        }
+       if (len <= 0 || len >= MAX_REPLY_LEN) {
+               errno = ERANGE;
+               return -1;
+       }
        return len;
 }
 
index df9d938..15aeb06 100644 (file)
 #ifndef LIB_MPATH_CMD_H
 #define LIB_MPATH_CMD_H
 
+/*
+ * This should be sufficient for json output for >10000 maps,
+ * and >60000 paths.
+ */
+#define MAX_REPLY_LEN (32 * 1024 * 1024)
+
 #ifdef __cplusplus
 extern "C" {
 #endif
index a75afe3..ca176a9 100644 (file)
@@ -13,7 +13,9 @@
 #include "version.h"
 #include <readline/readline.h>
 
+#include "mpath_cmd.h"
 #include "cli.h"
+#include "debug.h"
 
 static vector keys;
 static vector handlers;
index 7cc7e4b..f3fa077 100644 (file)
@@ -96,6 +96,12 @@ enum {
        do {                                                    \
                if ((a)) {                                      \
                        char *tmp = (r);                        \
+                                                               \
+                       if (m >= MAX_REPLY_LEN) {               \
+                               condlog(1, "Warning: max reply length exceeded"); \
+                               free(tmp);                      \
+                               r = NULL;                       \
+                       }                                       \
                        (r) = REALLOC((r), (m) * 2);            \
                        if ((r)) {                              \
                                memset((r) + (m), 0, (m));      \
index f9e9d69..f95813e 100644 (file)
@@ -26,6 +26,7 @@
 #include "prkey.h"
 #include "propsel.h"
 #include "main.h"
+#include "mpath_cmd.h"
 #include "cli.h"
 #include "uevent.h"
 #include "foreign.h"