[dm-devel] [PATCH 06/12] libmpathcmd(coverity): limit reply length

Tue, 08 Jan 2019 14:55:38 -0800 

coverity warned about tainted input data.

Signed-off-by: Martin Wilck <mwi...@suse.com>
---
 libmpathcmd/mpath_cmd.c   | 4 ++++
 libmpathcmd/mpath_cmd.h   | 6 ++++++
 multipathd/cli.c          | 2 ++
 multipathd/cli.h          | 6 ++++++
 multipathd/cli_handlers.c | 1 +
 5 files changed, 19 insertions(+)

diff --git a/libmpathcmd/mpath_cmd.c b/libmpathcmd/mpath_cmd.c
index 61e6a98..df4ca54 100644
--- a/libmpathcmd/mpath_cmd.c
+++ b/libmpathcmd/mpath_cmd.c
@@ -133,6 +133,10 @@ ssize_t mpath_recv_reply_len(int fd, unsigned int timeout)
                errno = EIO;
                return -1;
        }
+       if (len <= 0 || len >= MAX_REPLY_LEN) {
+               errno = ERANGE;
+               return -1;
+       }
        return len;
 }
 
diff --git a/libmpathcmd/mpath_cmd.h b/libmpathcmd/mpath_cmd.h
index df9d938..15aeb06 100644
--- a/libmpathcmd/mpath_cmd.h
+++ b/libmpathcmd/mpath_cmd.h
@@ -20,6 +20,12 @@
 #ifndef LIB_MPATH_CMD_H
 #define LIB_MPATH_CMD_H
 
+/*
+ * This should be sufficient for json output for >10000 maps,
+ * and >60000 paths.
+ */
+#define MAX_REPLY_LEN (32 * 1024 * 1024)
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/multipathd/cli.c b/multipathd/cli.c
index a75afe3..ca176a9 100644
--- a/multipathd/cli.c
+++ b/multipathd/cli.c
@@ -13,7 +13,9 @@
 #include "version.h"
 #include <readline/readline.h>
 
+#include "mpath_cmd.h"
 #include "cli.h"
+#include "debug.h"
 
 static vector keys;
 static vector handlers;
diff --git a/multipathd/cli.h b/multipathd/cli.h
index 7cc7e4b..f3fa077 100644
--- a/multipathd/cli.h
+++ b/multipathd/cli.h
@@ -96,6 +96,12 @@ enum {
        do {                                                    \
                if ((a)) {                                      \
                        char *tmp = (r);                        \
+                                                               \
+                       if (m >= MAX_REPLY_LEN) {               \
+                               condlog(1, "Warning: max reply length 
exceeded"); \
+                               free(tmp);                      \
+                               r = NULL;                       \
+                       }                                       \
                        (r) = REALLOC((r), (m) * 2);            \
                        if ((r)) {                              \
                                memset((r) + (m), 0, (m));      \
diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c
index 6304ed3..f979a18 100644
--- a/multipathd/cli_handlers.c
+++ b/multipathd/cli_handlers.c
@@ -26,6 +26,7 @@
 #include "prkey.h"
 #include "propsel.h"
 #include "main.h"
+#include "mpath_cmd.h"
 #include "cli.h"
 #include "uevent.h"
 #include "foreign.h"
-- 
2.19.2

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Reply via email to