Hi Quang,

ACK from me.

Best Regards,
ThuanTr

-----Original Message-----
From: Quang Xuan Nhat Nghiem <quang.xn.ngh...@dektech.com.au> 
Sent: Wednesday, November 11, 2020 3:50 PM
To: Minh Hon Chau <minh.c...@dektech.com.au>; Thuan Tran 
<thuan.t...@dektech.com.au>
Cc: opensaf-devel@lists.sourceforge.net; Quang Xuan Nhat Nghiem 
<quang.xn.ngh...@dektech.com.au>
Subject: [PATCH 1/1] ntf: fix coredump while creating object having string 
value, SA_NOTIFY [#3232]

When create or modify an object having size of attribute value over 65535,
this actual size will be truncated because dataSize of saNtfPtrValAllocate
is SaUint16T (from 0 to 65535). Thus, after saNtfPtrValAllocate's invoked,
the attribute value is assigned to the memory allocated with the actual
size over 65535 and cause a memory corruption.
Solution is prevent the size of data and log a warning if is's over 65535.
---
 src/ntf/ntfimcnd/ntfimcn_notifier.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ntf/ntfimcnd/ntfimcn_notifier.c 
b/src/ntf/ntfimcnd/ntfimcn_notifier.c
index c63b4393f..05cbb6a67 100644
--- a/src/ntf/ntfimcnd/ntfimcn_notifier.c
+++ b/src/ntf/ntfimcnd/ntfimcn_notifier.c
@@ -233,6 +233,13 @@ static int fill_value_array(SaNtfNotificationHandleT 
notificationHandle,
 
        TRACE_ENTER();
 
+       if (value_in_size > USHRT_MAX) {
+               LOG_WA("Failed to prepare notification as attr value size "
+                      "(%llu) > MAX(%u)",
+                      value_in_size, USHRT_MAX);
+               internal_rc = (-1);
+               goto done;
+       }
        rc = saNtfPtrValAllocate(notificationHandle, value_in_size,
                                 (void **)&dest_ptr, value_out);
        if (rc != SA_AIS_OK) {
-- 
2.17.1



_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel

Reply via email to