ctdb-protocol: Add checks to validate data on wire before unmarshaling

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/ctdb/protocol/protocol_types.c b/ctdb/protocol/protocol_types.c
index d1890cf608e657a12a8eaad2275c756d6efdf89d..d06d4407a1cd92e266de7c50032bb2ebac30a689 100644 (file)
--- a/ctdb/protocol/protocol_types.c
+++ b/ctdb/protocol/protocol_types.c
@@ -255,7 +255,12 @@ int ctdb_stringn_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(uint32_t)) {
                return EMSGSIZE;
        }
-
+       if (wire->length > buflen) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
        if (buflen < sizeof(uint32_t) + wire->length) {
                return EMSGSIZE;
        }
@@ -331,6 +336,14 @@ int ctdb_statistics_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_statistics_list_wire, stats)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_statistics)) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_statistics_list_wire, stats) +
+           wire->num * sizeof(struct ctdb_statistics) <
+           offsetof(struct ctdb_statistics_list_wire, stats)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_statistics_list_wire, stats) +
                     wire->num * sizeof(struct ctdb_statistics)) {
                return EMSGSIZE;
@@ -386,6 +399,14 @@ int ctdb_vnn_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_vnn_map_wire, map)) {
                return EMSGSIZE;
        }
+       if (wire->size > buflen / sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_vnn_map_wire, map) +
+           wire->size * sizeof(uint32_t) <
+           offsetof(struct ctdb_vnn_map_wire, map)) {
+                   return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_vnn_map_wire, map) +
                     wire->size * sizeof(uint32_t)) {
                return EMSGSIZE;
@@ -436,6 +457,13 @@ int ctdb_dbid_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(uint32_t)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_dbid)) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid) <
+           sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
        if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid)) {
                return EMSGSIZE;
        }
@@ -597,14 +625,25 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen,
                                   size_t *reclen)
 {
        struct ctdb_rec_data_wire *wire = (struct ctdb_rec_data_wire *)buf;
-       size_t offset, n;
+       size_t offset;
 
        if (buflen < offsetof(struct ctdb_rec_data_wire, data)) {
                return EMSGSIZE;
        }
-       n = offsetof(struct ctdb_rec_data_wire, data) +
-               wire->keylen + wire->datalen;
-       if (buflen < n) {
+       if (wire->keylen > buflen || wire->datalen > buflen) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_rec_data_wire, data) + wire->keylen <
+           offsetof(struct ctdb_rec_data_wire, data)) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_rec_data_wire, data) +
+               wire->keylen + wire->datalen <
+           offsetof(struct ctdb_rec_data_wire, data)) {
+               return EMSGSIZE;
+       }
+       if (buflen < offsetof(struct ctdb_rec_data_wire, data) +
+                       wire->keylen + wire->datalen) {
                return EMSGSIZE;
        }
 
@@ -622,7 +661,8 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen,
        data->dsize = wire->datalen;
        data->dptr = &wire->data[offset];
 
-       *reclen = n;
+       *reclen = offsetof(struct ctdb_rec_data_wire, data) +
+                       wire->keylen + wire->datalen;
 
        return 0;
 }
@@ -1111,6 +1151,13 @@ int ctdb_tunable_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_tunable_wire, name)) {
                return EMSGSIZE;
        }
+       if (wire->length > buflen) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_tunable_wire, name) + wire->length <
+           offsetof(struct ctdb_tunable_wire, name)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_tunable_wire, name) + wire->length) {
                return EMSGSIZE;
        }
@@ -1205,6 +1252,12 @@ int ctdb_var_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(uint32_t)) {
                return EMSGSIZE;
        }
+       if (wire->length > buflen) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
        if (buflen < sizeof(uint32_t) + wire->length) {
                return EMSGSIZE;
        }
@@ -1315,6 +1368,14 @@ int ctdb_tickle_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_tickle_list_wire, conn)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_connection)) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_tickle_list_wire, conn) +
+           wire->num * sizeof(struct ctdb_connection) <
+           offsetof(struct ctdb_tickle_list_wire, conn)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_tickle_list_wire, conn) +
                     wire->num * sizeof(struct ctdb_connection)) {
                return EMSGSIZE;
@@ -1392,6 +1453,13 @@ int ctdb_addr_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_addr_info_wire, iface)) {
                return EMSGSIZE;
        }
+       if (wire->len > buflen) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_addr_info_wire, iface) + wire->len <
+           offsetof(struct ctdb_addr_info_wire, iface)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_addr_info_wire, iface) + wire->len) {
                return EMSGSIZE;
        }
@@ -1565,6 +1633,13 @@ int ctdb_public_ip_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(uint32_t)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_public_ip)) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_public_ip) <
+           sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
        if (buflen < sizeof(uint32_t) +
                     wire->num * sizeof(struct ctdb_public_ip)) {
                return EMSGSIZE;
@@ -1682,6 +1757,21 @@ int ctdb_node_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        int i;
        bool ret;
 
+       if (buflen < sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
+       if (wire->num > buflen / sizeof(struct ctdb_node_and_flags)) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_node_and_flags) <
+           sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
+       if (buflen < sizeof(uint32_t) +
+                    wire->num * sizeof(struct ctdb_node_and_flags)) {
+               return EMSGSIZE;
+       }
+
        nodemap = talloc(mem_ctx, struct ctdb_node_map);
        if (nodemap == NULL) {
                return ENOMEM;
@@ -1817,6 +1907,12 @@ int ctdb_script_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offset) {
                return EMSGSIZE;
        }
+       if (wire->num_scripts > buflen / sizeof(struct ctdb_script)) {
+               return EMSGSIZE;
+       }
+       if (offset + wire->num_scripts * sizeof(struct ctdb_script) < offset) {
+               return EMSGSIZE;
+       }
        if (buflen < offset + wire->num_scripts * sizeof(struct ctdb_script)) {
                return EMSGSIZE;
        }
@@ -1938,6 +2034,13 @@ int ctdb_notify_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_notify_data_wire, data)) {
                return EMSGSIZE;
        }
+       if (wire->len > buflen) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_notify_data_wire, data) + wire->len <
+           offsetof(struct ctdb_notify_data_wire, data)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_notify_data_wire, data) + wire->len) {
                return EMSGSIZE;
        }
@@ -2033,6 +2136,13 @@ int ctdb_iface_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(uint32_t)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_iface)) {
+               return EMSGSIZE;
+       }
+       if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface) <
+           sizeof(uint32_t)) {
+               return EMSGSIZE;
+       }
        if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface)) {
                return EMSGSIZE;
        }
@@ -2093,6 +2203,18 @@ int ctdb_public_ip_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces)) {
                return EMSGSIZE;
        }
+       if (wire->num > buflen / sizeof(struct ctdb_iface)) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_public_ip_info_wire, ifaces) +
+           wire->num * sizeof(struct ctdb_iface) <
+           offsetof(struct ctdb_public_ip_info_wire, ifaces)) {
+               return EMSGSIZE;
+       }
+       if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces) +
+                    wire->num * sizeof(struct ctdb_iface)) {
+               return EMSGSIZE;
+       }
 
        ipinfo = talloc(mem_ctx, struct ctdb_public_ip_info);
        if (ipinfo == NULL) {
@@ -2152,6 +2274,13 @@ int ctdb_key_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < offsetof(struct ctdb_key_data_wire, key)) {
                return EMSGSIZE;
        }
+       if (wire->keylen > buflen) {
+               return EMSGSIZE;
+       }
+       if (offsetof(struct ctdb_key_data_wire, key) + wire->keylen <
+           offsetof(struct ctdb_key_data_wire, key)) {
+               return EMSGSIZE;
+       }
        if (buflen < offsetof(struct ctdb_key_data_wire, key) + wire->keylen) {
                return EMSGSIZE;
        }
@@ -2222,9 +2351,23 @@ int ctdb_db_statistics_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
        if (buflen < sizeof(struct ctdb_db_statistics)) {
                return EMSGSIZE;
        }
+
        offset = 0;
        for (i=0; i<wire->dbstats.num_hot_keys; i++) {
+               if (wire->dbstats.hot_keys[i].key.dsize > buflen) {
+                       return EMSGSIZE;
+               }
+               if (offset + wire->dbstats.hot_keys[i].key.dsize < offset) {
+                       return EMSGSIZE;
+               }
                offset += wire->dbstats.hot_keys[i].key.dsize;
+               if (offset > buflen) {
+                       return EMSGSIZE;
+               }
+       }
+       if (sizeof(struct ctdb_db_statistics) + offset <
+           sizeof(struct ctdb_db_statistics)) {
+               return EMSGSIZE;
        }
        if (buflen < sizeof(struct ctdb_db_statistics) + offset) {
                return EMSGSIZE;