From 202669fad3f2c1450025af7041f1614b740a8c8f Mon Sep 17 00:00:00 2001 From: Amitay Isaacs Date: Tue, 14 Oct 2014 17:52:55 +1100 Subject: [PATCH 01/11] ctdb-tools: Fix heap-use-after-free problem Found by address sanitizer. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke Autobuild-User(master): Martin Schwenke Autobuild-Date(master): Fri Oct 17 12:56:02 CEST 2014 on sn-devel-104 (cherry picked from commit 470af881479d1a1588dc23ef40622b4d8f006b61) --- ctdb/tools/ctdb.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c index 6414c24..c386d35 100644 --- a/ctdb/tools/ctdb.c +++ b/ctdb/tools/ctdb.c @@ -928,6 +928,7 @@ static int find_node_xpnn(void) TALLOC_CTX *mem_ctx = talloc_new(NULL); struct pnn_node *pnn_nodes; struct pnn_node *pnn_node; + int pnn; pnn_nodes = read_nodes_file(mem_ctx); if (pnn_nodes == NULL) { @@ -938,8 +939,9 @@ static int find_node_xpnn(void) for(pnn_node=pnn_nodes;pnn_node;pnn_node=pnn_node->next) { if (ctdb_sys_have_ip(&pnn_node->addr)) { + pnn = pnn_node->pnn; talloc_free(mem_ctx); - return pnn_node->pnn; + return pnn; } } @@ -1850,6 +1852,7 @@ find_other_host_for_public_ip(struct ctdb_context *ctdb, ctdb_sock_addr *addr) struct ctdb_all_public_ips *ips; struct ctdb_node_map *nodemap=NULL; int i, j, ret; + int pnn; ret = ctdb_ctrl_getnodemap(ctdb, TIMELIMIT(), CTDB_CURRENT_NODE, tmp_ctx, &nodemap); if (ret != 0) { @@ -1875,8 +1878,9 @@ find_other_host_for_public_ip(struct ctdb_context *ctdb, ctdb_sock_addr *addr) for (j=0;jnum;j++) { if (ctdb_same_ip(addr, &ips->ips[j].addr)) { + pnn = nodemap->nodes[i].pnn; talloc_free(tmp_ctx); - return nodemap->nodes[i].pnn; + return pnn; } } talloc_free(ips); -- 2.1.4 From 22cb227eb8925e5b9be5fdff6cb670685dc6bd61 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 7 Mar 2015 10:29:21 +0000 Subject: [PATCH 02/11] ctdb: Fix 1125553 Buffer not null terminated Signed-off-by: Volker Lendecke Reviewed-by: Ira Cooper (cherry picked from commit 621bd0784290f24e229caf0590206805f6f2e75c) --- ctdb/common/system_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c index 97a57ac..fdb8d12 100644 --- a/ctdb/common/system_linux.c +++ b/ctdb/common/system_linux.c @@ -100,7 +100,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) } DEBUG(DEBUG_DEBUG, (__location__ " Created SOCKET FD:%d for sending arp\n", s)); - strncpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)-1); + strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); if (ioctl(s, SIOCGIFINDEX, &ifr) < 0) { DEBUG(DEBUG_CRIT,(__location__ " interface '%s' not found\n", iface)); close(s); -- 2.1.4 From 6e5a0c0527f48dde4434a5f0e6b54a6490289fda Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 11 Mar 2015 10:58:11 +0000 Subject: [PATCH 03/11] ctdb: Fix CID 1288201 Array compared against 0 "helper_prog" is now declared as a static array Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit f724bfb44a6086a17d90a802c3965a0b9fd09ebd) --- ctdb/server/eventscript.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index 28bbb54..f323e50 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -447,10 +447,6 @@ static void ctdb_run_debug_hung_script(struct ctdb_context *ctdb, struct debug_h const char **argv; int i; - if (helper_prog == NULL) { - return; - } - if (pipe(fd) < 0) { DEBUG(DEBUG_ERR,("Failed to create pipe fd for debug hung script\n")); return; -- 2.1.4 From 7d67a5f620ff2b55837bd9c49c59efa43fe182f8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 13 Mar 2015 14:11:20 +0000 Subject: [PATCH 04/11] ctdb: Make for-loop in ctdb_get_script_list more idiomatic Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam (cherry picked from commit a8cc495b967935852c5357c3a4ef3d37579fb51b) --- ctdb/server/eventscript.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index f323e50..a212fa2 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -160,7 +160,7 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, { struct dirent **namelist; struct ctdb_scripts_wire *scripts; - int count; + int i, count; /* scan all directory entries and insert all valid scripts into the tree @@ -183,11 +183,12 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, } scripts->num_scripts = count; - for (count = 0; count < scripts->num_scripts; count++) { - strcpy(scripts->scripts[count].name, namelist[count]->d_name); - scripts->scripts[count].status = 0; - if (!check_executable(ctdb->event_script_dir, namelist[count]->d_name)) { - scripts->scripts[count].status = -errno; + for (i = 0; i < count; i++) { + strcpy(scripts->scripts[i].name, namelist[i]->d_name); + scripts->scripts[i].status = 0; + if (!check_executable(ctdb->event_script_dir, + namelist[i]->d_name)) { + scripts->scripts[i].status = -errno; } } -- 2.1.4 From 7b9dbdfbe9b26801033d57465c0938e425b7199f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 13 Mar 2015 14:12:41 +0000 Subject: [PATCH 05/11] ctdb: Fix memleak in ctdb_get_script_list scandir allocates every name individually, see example code in susv4 or man scandir Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam (cherry picked from commit c1e8bfb186c5cbeafbce9f2767db82edb579d5e1) --- ctdb/server/eventscript.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index a212fa2..523c8f1 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -178,8 +178,7 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, + sizeof(scripts->scripts[0]) * count); if (scripts == NULL) { DEBUG(DEBUG_ERR, (__location__ " Failed to allocate scripts\n")); - free(namelist); - return NULL; + goto done; } scripts->num_scripts = count; @@ -192,6 +191,10 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, } } +done: + for (i=0; i Date: Fri, 13 Mar 2015 14:16:17 +0000 Subject: [PATCH 06/11] ctdb: Introduce a helper var in ctdb_get_script_list Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam (cherry picked from commit 8d9bb5c54aae0099e0dde2d9a904676fcb9340c0) --- ctdb/server/eventscript.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index 523c8f1..c8ee1d4 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -183,11 +183,13 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, scripts->num_scripts = count; for (i = 0; i < count; i++) { - strcpy(scripts->scripts[i].name, namelist[i]->d_name); - scripts->scripts[i].status = 0; + struct ctdb_script_wire *s = &scripts->scripts[i]; + + strcpy(s->name, namelist[i]->d_name); + s->status = 0; if (!check_executable(ctdb->event_script_dir, namelist[i]->d_name)) { - scripts->scripts[i].status = -errno; + s->status = -errno; } } -- 2.1.4 From f4443699b8911604143c8f15c2bd1d233c56b31d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 13 Mar 2015 14:20:05 +0000 Subject: [PATCH 07/11] ctdb: Fix CID 1125613 Destination buffer too small Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Fri Mar 13 19:14:20 CET 2015 on sn-devel-104 (cherry picked from commit d171d2010a256a46446de5328a0897df3838855a) --- ctdb/server/eventscript.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index c8ee1d4..e3131b3 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -185,7 +185,12 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, for (i = 0; i < count; i++) { struct ctdb_script_wire *s = &scripts->scripts[i]; - strcpy(s->name, namelist[i]->d_name); + if (strlcpy(s->name, namelist[i]->d_name, sizeof(s->name)) >= + sizeof(s->name)) { + s->status = -ENAMETOOLONG; + continue; + } + s->status = 0; if (!check_executable(ctdb->event_script_dir, namelist[i]->d_name)) { @@ -339,6 +344,7 @@ static int script_status(struct ctdb_scripts_wire *scripts) for (i = 0; i < scripts->num_scripts; i++) { switch (scripts->scripts[i].status) { + case -ENAMETOOLONG: case -ENOENT: case -ENOEXEC: /* Disabled or missing; that's OK. */ -- 2.1.4 From ca23bde957217a33746e7cad38e2c2ade75d5be7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 26 Mar 2015 13:06:26 +0100 Subject: [PATCH 08/11] ctdb: Fix CID 1125634 Out-of-bounds write Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam (cherry picked from commit 93d4e801298d8ebb7261adbfc2bdb1a5fbe7115c) --- ctdb/tests/src/ctdb_takeover_tests.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctdb/tests/src/ctdb_takeover_tests.c b/ctdb/tests/src/ctdb_takeover_tests.c index 8b07325..7ff8755 100644 --- a/ctdb/tests/src/ctdb_takeover_tests.c +++ b/ctdb/tests/src/ctdb_takeover_tests.c @@ -431,7 +431,7 @@ static void ctdb_test_init(const char nodestates[], while (tok != NULL) { nodeflags[numnodes] = (uint32_t) strtol(tok, NULL, 0); numnodes++; - if (numnodes > CTDB_TEST_MAX_NODES) { + if (numnodes >= CTDB_TEST_MAX_NODES) { DEBUG(DEBUG_ERR, ("ERROR: Exceeding CTDB_TEST_MAX_NODES: %d\n", CTDB_TEST_MAX_NODES)); exit(1); } -- 2.1.4 From 7ed38ab48fd17c8fe0b737e8a0984c2cf7b1817d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 26 Mar 2015 13:11:14 +0100 Subject: [PATCH 09/11] ctdb: Fix CID 1125615 Copy into fixed size buffer Might be a "can't happen", but strcpy always looks fishy Signed-off-by: Volker Lendecke Reviewed-by: Michael Adam (cherry picked from commit 508b45fca93ca2dfb048fdf7465602bc34df42db) --- ctdb/tests/src/ctdb_test_stubs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ctdb/tests/src/ctdb_test_stubs.c b/ctdb/tests/src/ctdb_test_stubs.c index 82e82f3..c57f6ca 100644 --- a/ctdb/tests/src/ctdb_test_stubs.c +++ b/ctdb/tests/src/ctdb_test_stubs.c @@ -515,7 +515,12 @@ int32_t ctdb_control_get_ifaces(struct ctdb_context *ctdb, i = 0; for (cur=ctdb->ifaces;cur;cur=cur->next) { - strcpy(ifaces->ifaces[i].name, cur->name); + size_t nlen = strlcpy(ifaces->ifaces[i].name, cur->name, + sizeof(ifaces->ifaces[i].name)); + if (nlen >= sizeof(ifaces->ifaces[i].name)) { + /* Ignore invalid name */ + continue; + } ifaces->ifaces[i].link_state = cur->link_up; ifaces->ifaces[i].references = cur->references; i++; -- 2.1.4 From 6ee63f058dbd7aa05e830bc633ec4e1ef91a56cb Mon Sep 17 00:00:00 2001 From: Rajesh Joseph Date: Tue, 31 Mar 2015 18:43:36 +0530 Subject: [PATCH 10/11] ctdb: Coverity fix for CID 1291643 CID 1291643: Resource leak: leaked_handle: Handle variable lock_fd going out of scope leaks the handle. Fix: on failure case release handle variable lock_fd Signed-off-by: Rajesh Joseph Reviewed-by: Michael Adam Reviewed-by: David Disseldorp (cherry picked from commit 801bdcde6a7a92acfdb26d87a17a33802e166a2d) Conflicts: ctdb/tcp/tcp_connect.c --- ctdb/tcp/tcp_connect.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c index 8a112ff..af6d1bd 100644 --- a/ctdb/tcp/tcp_connect.c +++ b/ctdb/tcp/tcp_connect.c @@ -385,12 +385,17 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) strerror(errno), errno)); } } - + if (i == ctdb->num_nodes) { DEBUG(DEBUG_CRIT,("Unable to bind to any of the node addresses - giving up\n")); goto failed; } ctdb->address.address = talloc_strdup(ctdb, ctdb->nodes[i]->address.address); + if (ctdb->address.address == NULL) { + ctdb_set_error(ctdb, "Out of memory at %s:%d", + __FILE__, __LINE__); + goto failed; + } ctdb->address.port = ctdb->nodes[i]->address.port; ctdb->name = talloc_asprintf(ctdb, "%s:%u", ctdb->address.address, @@ -400,7 +405,7 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) ctdb->address.address, ctdb->address.port, ctdb->pnn)); - + if (listen(ctcp->listen_fd, 10) == -1) { goto failed; } -- 2.1.4 From 64c349afbac6041f3f4aba8b3cf6a4cc4dd81144 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Tue, 31 Mar 2015 18:06:43 +0200 Subject: [PATCH 11/11] ctdb: check for talloc_asprintf() failure Signed-off-by: David Disseldorp Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Wed Apr 1 15:36:03 CEST 2015 on sn-devel-104 (cherry picked from commit 12309f8bfb70878bec5fcec4681eb4e463e07357) Conflicts: ctdb/tcp/tcp_connect.c --- ctdb/tcp/tcp_connect.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c index af6d1bd..da4e6e1 100644 --- a/ctdb/tcp/tcp_connect.c +++ b/ctdb/tcp/tcp_connect.c @@ -397,13 +397,18 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) goto failed; } ctdb->address.port = ctdb->nodes[i]->address.port; - ctdb->name = talloc_asprintf(ctdb, "%s:%u", - ctdb->address.address, + ctdb->name = talloc_asprintf(ctdb, "%s:%u", + ctdb->address.address, ctdb->address.port); + if (ctdb->name == NULL) { + ctdb_set_error(ctdb, "Out of memory at %s:%d", + __FILE__, __LINE__); + goto failed; + } ctdb->pnn = ctdb->nodes[i]->pnn; - DEBUG(DEBUG_INFO,("ctdb chose network address %s:%u pnn %u\n", - ctdb->address.address, - ctdb->address.port, + DEBUG(DEBUG_INFO,("ctdb chose network address %s:%u pnn %u\n", + ctdb->address.address, + ctdb->address.port, ctdb->pnn)); if (listen(ctcp->listen_fd, 10) == -1) { -- 2.1.4