ctdb: buffer write beyond limits
authorSwen Schillig <swen@linux.ibm.com>
Fri, 15 Feb 2019 13:34:05 +0000 (14:34 +0100)
committerMartin Schwenke <martins@samba.org>
Fri, 22 Feb 2019 01:08:07 +0000 (02:08 +0100)
In order to calculate the number of bytes correctly which
are to be read into the buffer, the buffer.offset must be taken
into account.

This patch fixes a regression introduced by 382705f495dd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13791

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
ctdb/common/ctdb_io.c

index d865407..c16eb7f 100644 (file)
@@ -164,6 +164,7 @@ static void queue_io_read(struct ctdb_queue *queue)
 {
        int num_ready = 0;
        uint32_t pkt_size = 0;
+       uint32_t start_offset;
        ssize_t nread;
        uint8_t *data;
 
@@ -226,7 +227,17 @@ buffer_shift:
        }
 
 data_read:
-       num_ready = MIN(num_ready, queue->buffer.size - queue->buffer.length);
+       start_offset = queue->buffer.length + queue->buffer.offset;
+       if (start_offset < queue->buffer.length) {
+               DBG_ERR("Buffer overflow\n");
+               goto failed;
+       }
+       if (start_offset > queue->buffer.size) {
+               DBG_ERR("Buffer overflow\n");
+               goto failed;
+       }
+
+       num_ready = MIN(num_ready, queue->buffer.size - start_offset);
 
        if (num_ready > 0) {
                nread = sys_read(queue->fd,