libmultipath: fix parsing of VPD 83 type 1 (T10 vendor ID)
authorMartin Wilck <mwilck@suse.com>
Mon, 24 Jun 2019 09:27:40 +0000 (11:27 +0200)
committerChristophe Varoqui <christophe.varoqui@opensvc.com>
Wed, 3 Jul 2019 06:31:24 +0000 (08:31 +0200)
In the buffer overflow case, the code would set p_len = out_len - len - 2,
then len = len + plen = out_len - 2, and check if len >= out_len - 1,
which is never the case. Rather, set p_len = out_len - len -1, and
check the length again before appending the underscore.

Fixes: 18176202e75c "Read wwid from sysfs vpg_pg83 attribute"
Signed-off-by: Martin Wilck <mwilck@suse.com>
libmultipath/discovery.c

index 407e64a..f360e30 100644 (file)
@@ -1065,8 +1065,11 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,
                        p = vpd;
                        while ((p = memchr(vpd, ' ', vpd_len))) {
                                p_len = p - vpd;
-                               if (len + p_len > out_len - 1)
-                                       p_len = out_len - len - 2;
+                               if (len + p_len > out_len - 1) {
+                                       condlog(1, "%s: WWID overflow, type 1, %d/%lu bytes required",
+                                               __func__, len + p_len, out_len);
+                                       p_len = out_len - len - 1;
+                               }
                                memcpy(out + len, vpd, p_len);
                                len += p_len;
                                if (len >= out_len - 1) {
@@ -1075,6 +1078,10 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,
                                }
                                out[len] = '_';
                                len ++;
+                               if (len >= out_len - 1) {
+                                       out[len] = '\0';
+                                       break;
+                               }
                                vpd = p;
                                vpd_len -= p_len;
                                while (vpd && *vpd == ' ') {