[PATCH] Fixes to CTDB protocol handling
Jeremy Allison
jra at samba.org
Tue May 3 15:47:48 UTC 2016
On Tue, May 03, 2016 at 05:30:31PM +0200, Volker Lendecke wrote:
> On Tue, May 03, 2016 at 04:49:57PM +1000, Amitay Isaacs wrote:
> > Here are some more fixes as suggested by Volker. Add checks before using
> > data on wire and checks integer wrapping.
>
> Quick remark: I believe
>
> + if (wire->num * sizeof(struct ctdb_statistics) > buflen) {
> + return EMSGSIZE;
> + }
>
> is wrong. The multiplication could overflow leading to the
> check succeeding where it should not. I think that something
> like
>
> if (wire->num > buflen / sizeof(struct ..)
>
> or so should avoid that.
>
> Then there's a
>
> n = offsetof(struct ctdb_rec_data_wire, data) +
> wire->keylen + wire->datalen;
>
> for which I'm uncertain about the overflow in the +.
>
> I know, C network protocol code is almost impossible to get right :-(
Remove the "almost" and you're there I think :-).
More information about the samba-technical
mailing list