[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Sat Jun 18 21:32:02 UTC 2016
The branch, master has been updated
via a978113 ctdb-tests: Improve ctdb protocol tests
via dcd1a43 ctdb-protocol: Add checks to validate data on wire before unmarshaling
via e173964 ctdb-protocol: Add checks to validate data on wire before unmarshaling
via e3e8ce4 ctdb-protocol: Fix marshaling of uint arrays
from 747de99 s4: torture: Added raw readX test to ensure 'reserved' fields are zero.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a97811392ff9efa75334b9c5f0ca480017baa824
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue May 3 14:12:42 2016 +1000
ctdb-tests: Improve ctdb protocol tests
Test with 0-sized arrays in various data types.
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Sat Jun 18 23:31:50 CEST 2016 on sn-devel-144
commit dcd1a43b8c9ead65bebb959dd7e72ada23db0685
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue May 3 12:53:24 2016 +1000
ctdb-protocol: Add checks to validate data on wire before unmarshaling
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit e17396442a99504f559031dfaa03d08f9ad84616
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue May 3 13:20:53 2016 +1000
ctdb-protocol: Add checks to validate data on wire before unmarshaling
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit e3e8ce4b81d617b50f91e238d4e93a5075735658
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue May 3 16:46:29 2016 +1000
ctdb-protocol: Fix marshaling of uint arrays
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
-----------------------------------------------------------------------
Summary of changes:
ctdb/protocol/protocol_call.c | 39 +++++++
ctdb/protocol/protocol_control.c | 15 +++
ctdb/protocol/protocol_message.c | 12 +++
ctdb/protocol/protocol_types.c | 191 ++++++++++++++++++++++++++++++----
ctdb/tests/src/protocol_client_test.c | 6 +-
ctdb/tests/src/protocol_types_test.c | 178 ++++++++++++++++++++-----------
6 files changed, 357 insertions(+), 84 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ctdb/protocol/protocol_call.c b/ctdb/protocol/protocol_call.c
index a2b24cf..2dbd309 100644
--- a/ctdb/protocol/protocol_call.c
+++ b/ctdb/protocol/protocol_call.c
@@ -123,6 +123,15 @@ int ctdb_req_call_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->keylen > buflen || wire->calldatalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen < length) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen + wire->calldatalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->keylen + wire->calldatalen) {
return EMSGSIZE;
}
@@ -197,6 +206,12 @@ int ctdb_reply_call_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->datalen) {
return EMSGSIZE;
}
@@ -262,6 +277,12 @@ int ctdb_reply_error_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->msglen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->msglen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->msglen) {
return EMSGSIZE;
}
@@ -331,6 +352,15 @@ int ctdb_req_dmaster_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->keylen > buflen || wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen < length) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->keylen + wire->datalen) {
return EMSGSIZE;
}
@@ -408,6 +438,15 @@ int ctdb_reply_dmaster_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->keylen > buflen || wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen < length) {
+ return EMSGSIZE;
+ }
+ if (length + wire->keylen + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->keylen + wire->datalen) {
return EMSGSIZE;
}
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index f1c03ae..dff3f2b 100644
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -1924,6 +1924,12 @@ int ctdb_req_control_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->datalen) {
return EMSGSIZE;
}
@@ -2005,6 +2011,15 @@ int ctdb_reply_control_pull(uint8_t *buf, size_t buflen, uint32_t opcode,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->datalen > buflen || wire->errorlen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen < length) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen + wire->errorlen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->datalen + wire->errorlen) {
return EMSGSIZE;
}
diff --git a/ctdb/protocol/protocol_message.c b/ctdb/protocol/protocol_message.c
index 291ebe6..3188c0e 100644
--- a/ctdb/protocol/protocol_message.c
+++ b/ctdb/protocol/protocol_message.c
@@ -325,6 +325,12 @@ int ctdb_req_message_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->datalen) {
return EMSGSIZE;
}
@@ -387,6 +393,12 @@ int ctdb_req_message_data_pull(uint8_t *buf, size_t buflen,
if (buflen < length) {
return EMSGSIZE;
}
+ if (wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (length + wire->datalen < length) {
+ return EMSGSIZE;
+ }
if (buflen < length + wire->datalen) {
return EMSGSIZE;
}
diff --git a/ctdb/protocol/protocol_types.c b/ctdb/protocol/protocol_types.c
index fa11bc2..d06d440 100644
--- a/ctdb/protocol/protocol_types.c
+++ b/ctdb/protocol/protocol_types.c
@@ -97,7 +97,9 @@ size_t ctdb_uint8_array_len(struct ctdb_uint8_array *array)
void ctdb_uint8_array_push(struct ctdb_uint8_array *array, uint8_t *buf)
{
- memcpy(buf, array->val, array->num * sizeof(uint8_t));
+ if (array->num > 0) {
+ memcpy(buf, array->val, array->num * sizeof(uint8_t));
+ }
}
int ctdb_uint8_array_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
@@ -112,12 +114,16 @@ int ctdb_uint8_array_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
array->num = buflen / sizeof(uint8_t);
- array->val = talloc_array(array, uint8_t, array->num);
- if (array->val == NULL) {
- talloc_free(array);
- return ENOMEM;
+ if (array->num > 0) {
+ array->val = talloc_array(array, uint8_t, array->num);
+ if (array->val == NULL) {
+ talloc_free(array);
+ return ENOMEM;
+ }
+ memcpy(array->val, buf, buflen);
+ } else {
+ array->val = NULL;
}
- memcpy(array->val, buf, buflen);
*out = array;
return 0;
@@ -130,7 +136,9 @@ size_t ctdb_uint64_array_len(struct ctdb_uint64_array *array)
void ctdb_uint64_array_push(struct ctdb_uint64_array *array, uint8_t *buf)
{
- memcpy(buf, array->val, array->num * sizeof(uint64_t));
+ if (array->num > 0) {
+ memcpy(buf, array->val, array->num * sizeof(uint64_t));
+ }
}
int ctdb_uint64_array_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
@@ -145,12 +153,16 @@ int ctdb_uint64_array_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
array->num = buflen / sizeof(uint64_t);
- array->val = talloc_array(array, uint64_t, array->num);
- if (array->val == NULL) {
- talloc_free(array);
- return ENOMEM;
+ if (array->num > 0) {
+ array->val = talloc_array(array, uint64_t, array->num);
+ if (array->val == NULL) {
+ talloc_free(array);
+ return ENOMEM;
+ }
+ memcpy(array->val, buf, buflen);
+ } else {
+ array->val = NULL;
}
- memcpy(array->val, buf, buflen);
*out = array;
return 0;
@@ -243,7 +255,12 @@ int ctdb_stringn_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(uint32_t)) {
return EMSGSIZE;
}
-
+ if (wire->length > buflen) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
if (buflen < sizeof(uint32_t) + wire->length) {
return EMSGSIZE;
}
@@ -319,6 +336,14 @@ int ctdb_statistics_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_statistics_list_wire, stats)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_statistics)) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_statistics_list_wire, stats) +
+ wire->num * sizeof(struct ctdb_statistics) <
+ offsetof(struct ctdb_statistics_list_wire, stats)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_statistics_list_wire, stats) +
wire->num * sizeof(struct ctdb_statistics)) {
return EMSGSIZE;
@@ -374,6 +399,14 @@ int ctdb_vnn_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_vnn_map_wire, map)) {
return EMSGSIZE;
}
+ if (wire->size > buflen / sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_vnn_map_wire, map) +
+ wire->size * sizeof(uint32_t) <
+ offsetof(struct ctdb_vnn_map_wire, map)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_vnn_map_wire, map) +
wire->size * sizeof(uint32_t)) {
return EMSGSIZE;
@@ -424,6 +457,13 @@ int ctdb_dbid_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(uint32_t)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_dbid)) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid) <
+ sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid)) {
return EMSGSIZE;
}
@@ -585,14 +625,25 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen,
size_t *reclen)
{
struct ctdb_rec_data_wire *wire = (struct ctdb_rec_data_wire *)buf;
- size_t offset, n;
+ size_t offset;
if (buflen < offsetof(struct ctdb_rec_data_wire, data)) {
return EMSGSIZE;
}
- n = offsetof(struct ctdb_rec_data_wire, data) +
- wire->keylen + wire->datalen;
- if (buflen < n) {
+ if (wire->keylen > buflen || wire->datalen > buflen) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_rec_data_wire, data) + wire->keylen <
+ offsetof(struct ctdb_rec_data_wire, data)) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_rec_data_wire, data) +
+ wire->keylen + wire->datalen <
+ offsetof(struct ctdb_rec_data_wire, data)) {
+ return EMSGSIZE;
+ }
+ if (buflen < offsetof(struct ctdb_rec_data_wire, data) +
+ wire->keylen + wire->datalen) {
return EMSGSIZE;
}
@@ -610,7 +661,8 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen,
data->dsize = wire->datalen;
data->dptr = &wire->data[offset];
- *reclen = n;
+ *reclen = offsetof(struct ctdb_rec_data_wire, data) +
+ wire->keylen + wire->datalen;
return 0;
}
@@ -1099,6 +1151,13 @@ int ctdb_tunable_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_tunable_wire, name)) {
return EMSGSIZE;
}
+ if (wire->length > buflen) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_tunable_wire, name) + wire->length <
+ offsetof(struct ctdb_tunable_wire, name)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_tunable_wire, name) + wire->length) {
return EMSGSIZE;
}
@@ -1193,6 +1252,12 @@ int ctdb_var_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(uint32_t)) {
return EMSGSIZE;
}
+ if (wire->length > buflen) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
if (buflen < sizeof(uint32_t) + wire->length) {
return EMSGSIZE;
}
@@ -1303,6 +1368,14 @@ int ctdb_tickle_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_tickle_list_wire, conn)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_connection)) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_tickle_list_wire, conn) +
+ wire->num * sizeof(struct ctdb_connection) <
+ offsetof(struct ctdb_tickle_list_wire, conn)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_tickle_list_wire, conn) +
wire->num * sizeof(struct ctdb_connection)) {
return EMSGSIZE;
@@ -1380,6 +1453,13 @@ int ctdb_addr_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_addr_info_wire, iface)) {
return EMSGSIZE;
}
+ if (wire->len > buflen) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_addr_info_wire, iface) + wire->len <
+ offsetof(struct ctdb_addr_info_wire, iface)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_addr_info_wire, iface) + wire->len) {
return EMSGSIZE;
}
@@ -1553,6 +1633,13 @@ int ctdb_public_ip_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(uint32_t)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_public_ip)) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_public_ip) <
+ sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
if (buflen < sizeof(uint32_t) +
wire->num * sizeof(struct ctdb_public_ip)) {
return EMSGSIZE;
@@ -1670,6 +1757,21 @@ int ctdb_node_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
int i;
bool ret;
+ if (buflen < sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
+ if (wire->num > buflen / sizeof(struct ctdb_node_and_flags)) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_node_and_flags) <
+ sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
+ if (buflen < sizeof(uint32_t) +
+ wire->num * sizeof(struct ctdb_node_and_flags)) {
+ return EMSGSIZE;
+ }
+
nodemap = talloc(mem_ctx, struct ctdb_node_map);
if (nodemap == NULL) {
return ENOMEM;
@@ -1805,6 +1907,12 @@ int ctdb_script_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offset) {
return EMSGSIZE;
}
+ if (wire->num_scripts > buflen / sizeof(struct ctdb_script)) {
+ return EMSGSIZE;
+ }
+ if (offset + wire->num_scripts * sizeof(struct ctdb_script) < offset) {
+ return EMSGSIZE;
+ }
if (buflen < offset + wire->num_scripts * sizeof(struct ctdb_script)) {
return EMSGSIZE;
}
@@ -1926,6 +2034,13 @@ int ctdb_notify_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_notify_data_wire, data)) {
return EMSGSIZE;
}
+ if (wire->len > buflen) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_notify_data_wire, data) + wire->len <
+ offsetof(struct ctdb_notify_data_wire, data)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_notify_data_wire, data) + wire->len) {
return EMSGSIZE;
}
@@ -2021,6 +2136,13 @@ int ctdb_iface_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(uint32_t)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_iface)) {
+ return EMSGSIZE;
+ }
+ if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface) <
+ sizeof(uint32_t)) {
+ return EMSGSIZE;
+ }
if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface)) {
return EMSGSIZE;
}
@@ -2081,6 +2203,18 @@ int ctdb_public_ip_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces)) {
return EMSGSIZE;
}
+ if (wire->num > buflen / sizeof(struct ctdb_iface)) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_public_ip_info_wire, ifaces) +
+ wire->num * sizeof(struct ctdb_iface) <
+ offsetof(struct ctdb_public_ip_info_wire, ifaces)) {
+ return EMSGSIZE;
+ }
+ if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces) +
+ wire->num * sizeof(struct ctdb_iface)) {
+ return EMSGSIZE;
+ }
ipinfo = talloc(mem_ctx, struct ctdb_public_ip_info);
if (ipinfo == NULL) {
@@ -2140,6 +2274,13 @@ int ctdb_key_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < offsetof(struct ctdb_key_data_wire, key)) {
return EMSGSIZE;
}
+ if (wire->keylen > buflen) {
+ return EMSGSIZE;
+ }
+ if (offsetof(struct ctdb_key_data_wire, key) + wire->keylen <
+ offsetof(struct ctdb_key_data_wire, key)) {
+ return EMSGSIZE;
+ }
if (buflen < offsetof(struct ctdb_key_data_wire, key) + wire->keylen) {
return EMSGSIZE;
}
@@ -2210,9 +2351,23 @@ int ctdb_db_statistics_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx,
if (buflen < sizeof(struct ctdb_db_statistics)) {
return EMSGSIZE;
}
+
offset = 0;
for (i=0; i<wire->dbstats.num_hot_keys; i++) {
+ if (wire->dbstats.hot_keys[i].key.dsize > buflen) {
+ return EMSGSIZE;
+ }
+ if (offset + wire->dbstats.hot_keys[i].key.dsize < offset) {
+ return EMSGSIZE;
+ }
offset += wire->dbstats.hot_keys[i].key.dsize;
+ if (offset > buflen) {
+ return EMSGSIZE;
+ }
+ }
+ if (sizeof(struct ctdb_db_statistics) + offset <
+ sizeof(struct ctdb_db_statistics)) {
+ return EMSGSIZE;
}
if (buflen < sizeof(struct ctdb_db_statistics) + offset) {
return EMSGSIZE;
diff --git a/ctdb/tests/src/protocol_client_test.c b/ctdb/tests/src/protocol_client_test.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list