PATCH: ctdb: buffer write beyond limits

swen swen at linux.ibm.com
Mon Feb 18 07:19:52 UTC 2019 

Hi Martin
On Sun, 2019-02-17 at 22:18 +1100, Martin Schwenke via samba-technical
wrote:
> Hi Swen,
> 
> On Fri, 15 Feb 2019 14:40:56 +0100, swen via samba-technical
> <samba-technical at lists.samba.org> wrote:
> 
> > Please review and push if happy.
> > 
> > Thanks for your support in avance.
> 
> Thanks for finding that.  I spent a long time staring at the code and
> looked right past it.
> 
> Please add the following tag to the commit message so the fix can be
> backported to 4.9 and 4.10:
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13791
> 
> If the patch is fixing a regression, I often explain when the
> regression was introduced (e.g. commit
> 8b82d10856160d3b3f172bf7d45ac561002dbcac) to make it easier for
> reviewers (and later readers of the history) to understand what has
> happened.  Can you please do that?
> 
> With those 2 things:
> 
> Reviewed-by: Martin Schwenke <martin at meltin.net>
> 
Thanks for your review.
Commit message updated as requested.

Cheers Swen
-------------- next part --------------
From 0c273ee32b5326dd61c84141b3e45291d8a35c3e Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Fri, 15 Feb 2019 14:34:05 +0100
Subject: [PATCH] ctdb: buffer write beyond limits

In order to calculate the number of bytes correctly which
are to be read into the buffer, the buffer.offset must be taken
into account.

This patch fixes a regression introduced by 382705f495dd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13791

Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
 ctdb/common/ctdb_io.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ctdb/common/ctdb_io.c b/ctdb/common/ctdb_io.c
index d86540762ea..c8ba89d6809 100644
--- a/ctdb/common/ctdb_io.c
+++ b/ctdb/common/ctdb_io.c
@@ -226,7 +226,9 @@ buffer_shift:
 	}
 
 data_read:
-	num_ready = MIN(num_ready, queue->buffer.size - queue->buffer.length);
+	num_ready = MIN(num_ready,
+			queue->buffer.size -
+				(queue->buffer.length + queue->buffer.offset));
 
 	if (num_ready > 0) {
 		nread = sys_read(queue->fd,
-- 
2.20.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190218/e87ea99c/signature.sig>

More information about the samba-technical mailing list