The Samba-Bugzilla – Attachment 10937 Details for
Bug 11201
CTDB contains potential buffer overflows, unchecked memory allocation failures, resource leaks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for 4.2
v4-2-test-bz11201.patch (text/plain), 14.77 KB, created by
Martin Schwenke
on 2015-04-09 05:12:03 UTC
(
hide
)
Description:
Patches for 4.2
Filename:
MIME Type:
Creator:
Martin Schwenke
Created:
2015-04-09 05:12:03 UTC
Size:
14.77 KB
patch
obsolete
>From 202669fad3f2c1450025af7041f1614b740a8c8f Mon Sep 17 00:00:00 2001 >From: Amitay Isaacs <amitay@gmail.com> >Date: Tue, 14 Oct 2014 17:52:55 +1100 >Subject: [PATCH 01/11] ctdb-tools: Fix heap-use-after-free problem > >Found by address sanitizer. > >Signed-off-by: Amitay Isaacs <amitay@gmail.com> >Reviewed-by: Martin Schwenke <martin@meltin.net> > >Autobuild-User(master): Martin Schwenke <martins@samba.org> >Autobuild-Date(master): Fri Oct 17 12:56:02 CEST 2014 on sn-devel-104 > >(cherry picked from commit 470af881479d1a1588dc23ef40622b4d8f006b61) >--- > ctdb/tools/ctdb.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c >index 6414c24..c386d35 100644 >--- a/ctdb/tools/ctdb.c >+++ b/ctdb/tools/ctdb.c >@@ -928,6 +928,7 @@ static int find_node_xpnn(void) > TALLOC_CTX *mem_ctx = talloc_new(NULL); > struct pnn_node *pnn_nodes; > struct pnn_node *pnn_node; >+ int pnn; > > pnn_nodes = read_nodes_file(mem_ctx); > if (pnn_nodes == NULL) { >@@ -938,8 +939,9 @@ static int find_node_xpnn(void) > > for(pnn_node=pnn_nodes;pnn_node;pnn_node=pnn_node->next) { > if (ctdb_sys_have_ip(&pnn_node->addr)) { >+ pnn = pnn_node->pnn; > talloc_free(mem_ctx); >- return pnn_node->pnn; >+ return pnn; > } > } > >@@ -1850,6 +1852,7 @@ find_other_host_for_public_ip(struct ctdb_context *ctdb, ctdb_sock_addr *addr) > struct ctdb_all_public_ips *ips; > struct ctdb_node_map *nodemap=NULL; > int i, j, ret; >+ int pnn; > > ret = ctdb_ctrl_getnodemap(ctdb, TIMELIMIT(), CTDB_CURRENT_NODE, tmp_ctx, &nodemap); > if (ret != 0) { >@@ -1875,8 +1878,9 @@ find_other_host_for_public_ip(struct ctdb_context *ctdb, ctdb_sock_addr *addr) > > for (j=0;j<ips->num;j++) { > if (ctdb_same_ip(addr, &ips->ips[j].addr)) { >+ pnn = nodemap->nodes[i].pnn; > talloc_free(tmp_ctx); >- return nodemap->nodes[i].pnn; >+ return pnn; > } > } > talloc_free(ips); >-- >2.1.4 > > >From 22cb227eb8925e5b9be5fdff6cb670685dc6bd61 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 7 Mar 2015 10:29:21 +0000 >Subject: [PATCH 02/11] ctdb: Fix 1125553 Buffer not null terminated > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Ira Cooper <ira@samba.org> >(cherry picked from commit 621bd0784290f24e229caf0590206805f6f2e75c) >--- > ctdb/common/system_linux.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c >index 97a57ac..fdb8d12 100644 >--- a/ctdb/common/system_linux.c >+++ b/ctdb/common/system_linux.c >@@ -100,7 +100,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) > } > > DEBUG(DEBUG_DEBUG, (__location__ " Created SOCKET FD:%d for sending arp\n", s)); >- strncpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)-1); >+ strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); > if (ioctl(s, SIOCGIFINDEX, &ifr) < 0) { > DEBUG(DEBUG_CRIT,(__location__ " interface '%s' not found\n", iface)); > close(s); >-- >2.1.4 > > >From 6e5a0c0527f48dde4434a5f0e6b54a6490289fda Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 11 Mar 2015 10:58:11 +0000 >Subject: [PATCH 03/11] ctdb: Fix CID 1288201 Array compared against 0 > >"helper_prog" is now declared as a static array > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit f724bfb44a6086a17d90a802c3965a0b9fd09ebd) >--- > ctdb/server/eventscript.c | 4 ---- > 1 file changed, 4 deletions(-) > >diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c >index 28bbb54..f323e50 100644 >--- a/ctdb/server/eventscript.c >+++ b/ctdb/server/eventscript.c >@@ -447,10 +447,6 @@ static void ctdb_run_debug_hung_script(struct ctdb_context *ctdb, struct debug_h > const char **argv; > int i; > >- if (helper_prog == NULL) { >- return; >- } >- > if (pipe(fd) < 0) { > DEBUG(DEBUG_ERR,("Failed to create pipe fd for debug hung script\n")); > return; >-- >2.1.4 > > >From 7d67a5f620ff2b55837bd9c49c59efa43fe182f8 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 13 Mar 2015 14:11:20 +0000 >Subject: [PATCH 04/11] ctdb: Make for-loop in ctdb_get_script_list more > idiomatic > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit a8cc495b967935852c5357c3a4ef3d37579fb51b) >--- > ctdb/server/eventscript.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > >diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c >index f323e50..a212fa2 100644 >--- a/ctdb/server/eventscript.c >+++ b/ctdb/server/eventscript.c >@@ -160,7 +160,7 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > { > struct dirent **namelist; > struct ctdb_scripts_wire *scripts; >- int count; >+ int i, count; > > /* scan all directory entries and insert all valid scripts into the > tree >@@ -183,11 +183,12 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > } > scripts->num_scripts = count; > >- for (count = 0; count < scripts->num_scripts; count++) { >- strcpy(scripts->scripts[count].name, namelist[count]->d_name); >- scripts->scripts[count].status = 0; >- if (!check_executable(ctdb->event_script_dir, namelist[count]->d_name)) { >- scripts->scripts[count].status = -errno; >+ for (i = 0; i < count; i++) { >+ strcpy(scripts->scripts[i].name, namelist[i]->d_name); >+ scripts->scripts[i].status = 0; >+ if (!check_executable(ctdb->event_script_dir, >+ namelist[i]->d_name)) { >+ scripts->scripts[i].status = -errno; > } > } > >-- >2.1.4 > > >From 7b9dbdfbe9b26801033d57465c0938e425b7199f Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 13 Mar 2015 14:12:41 +0000 >Subject: [PATCH 05/11] ctdb: Fix memleak in ctdb_get_script_list > >scandir allocates every name individually, see example code in susv4 or man >scandir > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit c1e8bfb186c5cbeafbce9f2767db82edb579d5e1) >--- > ctdb/server/eventscript.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > >diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c >index a212fa2..523c8f1 100644 >--- a/ctdb/server/eventscript.c >+++ b/ctdb/server/eventscript.c >@@ -178,8 +178,7 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > + sizeof(scripts->scripts[0]) * count); > if (scripts == NULL) { > DEBUG(DEBUG_ERR, (__location__ " Failed to allocate scripts\n")); >- free(namelist); >- return NULL; >+ goto done; > } > scripts->num_scripts = count; > >@@ -192,6 +191,10 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > } > } > >+done: >+ for (i=0; i<count; i++) { >+ free(namelist[i]); >+ } > free(namelist); > return scripts; > } >-- >2.1.4 > > >From be089b3302f4938fa9899a1b6afca36d969936a8 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 13 Mar 2015 14:16:17 +0000 >Subject: [PATCH 06/11] ctdb: Introduce a helper var in ctdb_get_script_list > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 8d9bb5c54aae0099e0dde2d9a904676fcb9340c0) >--- > ctdb/server/eventscript.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > >diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c >index 523c8f1..c8ee1d4 100644 >--- a/ctdb/server/eventscript.c >+++ b/ctdb/server/eventscript.c >@@ -183,11 +183,13 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > scripts->num_scripts = count; > > for (i = 0; i < count; i++) { >- strcpy(scripts->scripts[i].name, namelist[i]->d_name); >- scripts->scripts[i].status = 0; >+ struct ctdb_script_wire *s = &scripts->scripts[i]; >+ >+ strcpy(s->name, namelist[i]->d_name); >+ s->status = 0; > if (!check_executable(ctdb->event_script_dir, > namelist[i]->d_name)) { >- scripts->scripts[i].status = -errno; >+ s->status = -errno; > } > } > >-- >2.1.4 > > >From f4443699b8911604143c8f15c2bd1d233c56b31d Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 13 Mar 2015 14:20:05 +0000 >Subject: [PATCH 07/11] ctdb: Fix CID 1125613 Destination buffer too small > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Fri Mar 13 19:14:20 CET 2015 on sn-devel-104 > >(cherry picked from commit d171d2010a256a46446de5328a0897df3838855a) >--- > ctdb/server/eventscript.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c >index c8ee1d4..e3131b3 100644 >--- a/ctdb/server/eventscript.c >+++ b/ctdb/server/eventscript.c >@@ -185,7 +185,12 @@ static struct ctdb_scripts_wire *ctdb_get_script_list(struct ctdb_context *ctdb, > for (i = 0; i < count; i++) { > struct ctdb_script_wire *s = &scripts->scripts[i]; > >- strcpy(s->name, namelist[i]->d_name); >+ if (strlcpy(s->name, namelist[i]->d_name, sizeof(s->name)) >= >+ sizeof(s->name)) { >+ s->status = -ENAMETOOLONG; >+ continue; >+ } >+ > s->status = 0; > if (!check_executable(ctdb->event_script_dir, > namelist[i]->d_name)) { >@@ -339,6 +344,7 @@ static int script_status(struct ctdb_scripts_wire *scripts) > > for (i = 0; i < scripts->num_scripts; i++) { > switch (scripts->scripts[i].status) { >+ case -ENAMETOOLONG: > case -ENOENT: > case -ENOEXEC: > /* Disabled or missing; that's OK. */ >-- >2.1.4 > > >From ca23bde957217a33746e7cad38e2c2ade75d5be7 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 26 Mar 2015 13:06:26 +0100 >Subject: [PATCH 08/11] ctdb: Fix CID 1125634 Out-of-bounds write > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 93d4e801298d8ebb7261adbfc2bdb1a5fbe7115c) >--- > ctdb/tests/src/ctdb_takeover_tests.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/ctdb/tests/src/ctdb_takeover_tests.c b/ctdb/tests/src/ctdb_takeover_tests.c >index 8b07325..7ff8755 100644 >--- a/ctdb/tests/src/ctdb_takeover_tests.c >+++ b/ctdb/tests/src/ctdb_takeover_tests.c >@@ -431,7 +431,7 @@ static void ctdb_test_init(const char nodestates[], > while (tok != NULL) { > nodeflags[numnodes] = (uint32_t) strtol(tok, NULL, 0); > numnodes++; >- if (numnodes > CTDB_TEST_MAX_NODES) { >+ if (numnodes >= CTDB_TEST_MAX_NODES) { > DEBUG(DEBUG_ERR, ("ERROR: Exceeding CTDB_TEST_MAX_NODES: %d\n", CTDB_TEST_MAX_NODES)); > exit(1); > } >-- >2.1.4 > > >From 7ed38ab48fd17c8fe0b737e8a0984c2cf7b1817d Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Thu, 26 Mar 2015 13:11:14 +0100 >Subject: [PATCH 09/11] ctdb: Fix CID 1125615 Copy into fixed size buffer > >Might be a "can't happen", but strcpy always looks fishy > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 508b45fca93ca2dfb048fdf7465602bc34df42db) >--- > ctdb/tests/src/ctdb_test_stubs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/ctdb/tests/src/ctdb_test_stubs.c b/ctdb/tests/src/ctdb_test_stubs.c >index 82e82f3..c57f6ca 100644 >--- a/ctdb/tests/src/ctdb_test_stubs.c >+++ b/ctdb/tests/src/ctdb_test_stubs.c >@@ -515,7 +515,12 @@ int32_t ctdb_control_get_ifaces(struct ctdb_context *ctdb, > > i = 0; > for (cur=ctdb->ifaces;cur;cur=cur->next) { >- strcpy(ifaces->ifaces[i].name, cur->name); >+ size_t nlen = strlcpy(ifaces->ifaces[i].name, cur->name, >+ sizeof(ifaces->ifaces[i].name)); >+ if (nlen >= sizeof(ifaces->ifaces[i].name)) { >+ /* Ignore invalid name */ >+ continue; >+ } > ifaces->ifaces[i].link_state = cur->link_up; > ifaces->ifaces[i].references = cur->references; > i++; >-- >2.1.4 > > >From 6ee63f058dbd7aa05e830bc633ec4e1ef91a56cb Mon Sep 17 00:00:00 2001 >From: Rajesh Joseph <rjoseph@redhat.com> >Date: Tue, 31 Mar 2015 18:43:36 +0530 >Subject: [PATCH 10/11] ctdb: Coverity fix for CID 1291643 > >CID 1291643: Resource leak: leaked_handle: Handle >variable lock_fd going out of scope leaks the handle. > >Fix: on failure case release handle variable lock_fd > >Signed-off-by: Rajesh Joseph <rjoseph@redhat.com> >Reviewed-by: Michael Adam <obnox@samba.org> >Reviewed-by: David Disseldorp <ddiss@samba.org> >(cherry picked from commit 801bdcde6a7a92acfdb26d87a17a33802e166a2d) > >Conflicts: > ctdb/tcp/tcp_connect.c >--- > ctdb/tcp/tcp_connect.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > >diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c >index 8a112ff..af6d1bd 100644 >--- a/ctdb/tcp/tcp_connect.c >+++ b/ctdb/tcp/tcp_connect.c >@@ -385,12 +385,17 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) > strerror(errno), errno)); > } > } >- >+ > if (i == ctdb->num_nodes) { > DEBUG(DEBUG_CRIT,("Unable to bind to any of the node addresses - giving up\n")); > goto failed; > } > ctdb->address.address = talloc_strdup(ctdb, ctdb->nodes[i]->address.address); >+ if (ctdb->address.address == NULL) { >+ ctdb_set_error(ctdb, "Out of memory at %s:%d", >+ __FILE__, __LINE__); >+ goto failed; >+ } > ctdb->address.port = ctdb->nodes[i]->address.port; > ctdb->name = talloc_asprintf(ctdb, "%s:%u", > ctdb->address.address, >@@ -400,7 +405,7 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) > ctdb->address.address, > ctdb->address.port, > ctdb->pnn)); >- >+ > if (listen(ctcp->listen_fd, 10) == -1) { > goto failed; > } >-- >2.1.4 > > >From 64c349afbac6041f3f4aba8b3cf6a4cc4dd81144 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@samba.org> >Date: Tue, 31 Mar 2015 18:06:43 +0200 >Subject: [PATCH 11/11] ctdb: check for talloc_asprintf() failure > >Signed-off-by: David Disseldorp <ddiss@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Wed Apr 1 15:36:03 CEST 2015 on sn-devel-104 > >(cherry picked from commit 12309f8bfb70878bec5fcec4681eb4e463e07357) > >Conflicts: > ctdb/tcp/tcp_connect.c >--- > ctdb/tcp/tcp_connect.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > >diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c >index af6d1bd..da4e6e1 100644 >--- a/ctdb/tcp/tcp_connect.c >+++ b/ctdb/tcp/tcp_connect.c >@@ -397,13 +397,18 @@ static int ctdb_tcp_listen_automatic(struct ctdb_context *ctdb) > goto failed; > } > ctdb->address.port = ctdb->nodes[i]->address.port; >- ctdb->name = talloc_asprintf(ctdb, "%s:%u", >- ctdb->address.address, >+ ctdb->name = talloc_asprintf(ctdb, "%s:%u", >+ ctdb->address.address, > ctdb->address.port); >+ if (ctdb->name == NULL) { >+ ctdb_set_error(ctdb, "Out of memory at %s:%d", >+ __FILE__, __LINE__); >+ goto failed; >+ } > ctdb->pnn = ctdb->nodes[i]->pnn; >- DEBUG(DEBUG_INFO,("ctdb chose network address %s:%u pnn %u\n", >- ctdb->address.address, >- ctdb->address.port, >+ DEBUG(DEBUG_INFO,("ctdb chose network address %s:%u pnn %u\n", >+ ctdb->address.address, >+ ctdb->address.port, > ctdb->pnn)); > > if (listen(ctcp->listen_fd, 10) == -1) { >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
amitay
:
review+
Actions:
View
Attachments on
bug 11201
: 10937