The Samba-Bugzilla – Attachment 16373 Details for
Bug 14605
Zero length VLAs in messaging functions can lead to segfaults
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.12 and 4.13 cherry-picked from master
bug14605-v412,v413.patch (text/plain), 2.19 KB, created by
Ralph Böhme
on 2021-01-04 14:10:44 UTC
(
hide
)
Description:
Patch for 4.12 and 4.13 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2021-01-04 14:10:44 UTC
Size:
2.19 KB
patch
obsolete
>From 0228c853f0aa50b01706c11c8008898bfdf1b789 Mon Sep 17 00:00:00 2001 >From: Dimitry Andric <dimitry@andric.com> >Date: Fri, 1 Jan 2021 18:25:48 +0100 >Subject: [PATCH] lib: Avoid declaring zero-length VLAs in various messaging > functions >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >In messaging_rec_create(), messaging_recv_cb() and >messaging_dispatch_rec(), variable length arrays of file descriptors are >declared using an incoming num_fds parameter. > >However, there are several scenarios where num_fds can be zero, and >declaring a zero-length VLA is undefined behavior. This can lead to >segmentation faults and/or other crashes when compiling with recent >versions of clang at high optimization levels. > >To avoid ever using zero as the length for these declarations, use >MAX(1, length) instead. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14605 > >Signed-off-by: Dimitry Andric <dimitry@andric.com> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Mon Jan 4 10:50:07 UTC 2021 on sn-devel-184 > >(cherry picked from commit 3e96c95d41e4ccd0bf43b3ee78af644e2bc32e30) >--- > source3/lib/messages.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/lib/messages.c b/source3/lib/messages.c >index c63b027c6179..448e5d5a2b67 100644 >--- a/source3/lib/messages.c >+++ b/source3/lib/messages.c >@@ -157,7 +157,7 @@ struct messaging_rec *messaging_rec_create( > > { > struct messaging_rec rec; >- int64_t fds64[num_fds]; >+ int64_t fds64[MAX(1, num_fds)]; > size_t i; > > for (i=0; i<num_fds; i++) { >@@ -391,7 +391,7 @@ static void messaging_recv_cb(struct tevent_context *ev, > private_data, struct messaging_context); > struct server_id_buf idbuf; > struct messaging_rec rec; >- int64_t fds64[MIN(num_fds, INT8_MAX)]; >+ int64_t fds64[MAX(1, MIN(num_fds, INT8_MAX))]; > size_t i; > > if (msg_len < MESSAGE_HDR_LENGTH) { >@@ -1371,7 +1371,7 @@ static void messaging_dispatch_rec(struct messaging_context *msg_ctx, > > if (ev != msg_ctx->event_ctx) { > struct iovec iov; >- int fds[rec->num_fds]; >+ int fds[MAX(1, rec->num_fds)]; > int ret; > > /* >-- >2.26.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 14605
: 16373