git.samba.org / jlayton / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e173964)
ctdb-protocol: Add checks to validate data on wire before unmarshaling
authorAmitay Isaacs <amitay@gmail.com>
Tue, 3 May 2016 02:53:24 +0000 (12:53 +1000)
committerVolker Lendecke <vl@samba.org>
Sat, 18 Jun 2016 17:33:14 +0000 (19:33 +0200)
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
ctdb/protocol/protocol_call.c patch | blob | history
ctdb/protocol/protocol_control.c patch | blob | history
ctdb/protocol/protocol_message.c patch | blob | history

diff --git a/ctdb/protocol/protocol_call.c b/ctdb/protocol/protocol_call.c
index a2b24cf08439f82ba677f77dc3133a19a2a705ab..2dbd309317b1ea1b776d9a8e5c9bf317f7565d40 100644 (file)
--- a/ctdb/protocol/protocol_call.c
+++ b/ctdb/protocol/protocol_call.c
@@ -123,6 +123,15 @@ int ctdb_req_call_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->keylen > buflen || wire->calldatalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen < length) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen + wire->calldatalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->keylen + wire->calldatalen) {
                return EMSGSIZE;
        }
@@ -197,6 +206,12 @@ int ctdb_reply_call_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->datalen) {
                return EMSGSIZE;
        }
@@ -262,6 +277,12 @@ int ctdb_reply_error_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->msglen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->msglen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->msglen) {
                return EMSGSIZE;
        }
@@ -331,6 +352,15 @@ int ctdb_req_dmaster_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->keylen > buflen || wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen < length) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->keylen + wire->datalen) {
                return EMSGSIZE;
        }
@@ -408,6 +438,15 @@ int ctdb_reply_dmaster_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->keylen > buflen || wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen < length) {
+               return EMSGSIZE;
+       }
+       if (length + wire->keylen + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->keylen + wire->datalen) {
                return EMSGSIZE;
        }
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index f1c03ae3fd2ac1b3c02357906b97ece9ae35cb1f..dff3f2be9ec472302c3faaea1a385ae72ccb1a54 100644 (file)
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -1924,6 +1924,12 @@ int ctdb_req_control_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->datalen) {
                return EMSGSIZE;
        }
@@ -2005,6 +2011,15 @@ int ctdb_reply_control_pull(uint8_t *buf, size_t buflen, uint32_t opcode,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->datalen > buflen || wire->errorlen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen < length) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen + wire->errorlen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->datalen + wire->errorlen) {
                return EMSGSIZE;
        }
diff --git a/ctdb/protocol/protocol_message.c b/ctdb/protocol/protocol_message.c
index 291ebe6f679128123cac0bffb31f226de7f41e64..3188c0ef5a87f7e9cc6b31a276c96c38e4d06d15 100644 (file)
--- a/ctdb/protocol/protocol_message.c
+++ b/ctdb/protocol/protocol_message.c
@@ -325,6 +325,12 @@ int ctdb_req_message_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->datalen) {
                return EMSGSIZE;
        }
@@ -387,6 +393,12 @@ int ctdb_req_message_data_pull(uint8_t *buf, size_t buflen,
        if (buflen < length) {
                return EMSGSIZE;
        }
+       if (wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (length + wire->datalen < length) {
+               return EMSGSIZE;
+       }
        if (buflen < length + wire->datalen) {
                return EMSGSIZE;
        }
Samba