PATCH: ctdb: buffer write beyond limits

Martin Schwenke martin at meltin.net
Wed Feb 20 03:11:18 UTC 2019 

On Wed, 20 Feb 2019 13:59:15 +1100, Martin Schwenke via samba-technical
<samba-technical at lists.samba.org> wrote:

> On Tue, 19 Feb 2019 16:17:30 -0700, Christof Schmitt via
> samba-technical <samba-technical at lists.samba.org> wrote:
> 
> > On Tue, Feb 19, 2019 at 02:02:31PM -0700, Christof Schmitt via samba-technical wrote:  
> > > Maybe we can get this in another day? See the attached patch for the
> > > start of a test of the queue code. Could we extend that to trigger the
> > > problem and then verify that it is fixed with your patch?  
> > 
> > The initial patch was missing the wscript update. Here is an extended
> > version that shows the memory corruption without your fix. I would
> > suggest to add the fix with a test now to fix the 4.10 release and then
> > we can work towards adding more tests for the queueing code.  
> 
> Thanks for that.  That looks really good.  I always thought we would
> have problems writing unit tests for that code because it uses struct
> ctdb_context, which drags in the world, but this is nice!
> 
> Ironically, the test refuses to compile with CFLAGS="-O3" and
> --picky-developer:
> 
> [318/380] Compiling ctdb/tests/src/ctdb_io_test.c
> In file included from ../../tests/src/ctdb_io_test.c:23:
> ../../tests/src/ctdb_io_test.c: In function ‘test1_callback’:
> ../../tests/src/ctdb_io_test.c:70:9: error: ‘__builtin_memcmp_eq’ reading 12 bytes from a region of size 9 [-Werror=stringop-overflow=]
>   assert(memcmp(data  + sizeof(len), test1_req, len) == 0);
>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
> 
> That is, the test reads off the end of the buffer...  :-)
> 
> The fixup below seems to do the job:
> 
> diff --git a/ctdb/tests/src/ctdb_io_test.c b/ctdb/tests/src/ctdb_io_test.c
> index 22bd2f4930f..5a2f81538a1 100644
> --- a/ctdb/tests/src/ctdb_io_test.c
> +++ b/ctdb/tests/src/ctdb_io_test.c
> @@ -67,7 +67,7 @@ static void test1_callback(uint8_t *data, size_t length, void *private_data)
>         assert(len == sizeof(uint32_t) + test1_req_len);
>  
>         assert(length == sizeof(uint32_t) + test1_req_len);
> -       assert(memcmp(data  + sizeof(len), test1_req, length) == 0);
> +       assert(memcmp(data  + sizeof(len), test1_req, test1_req_len) == 0);
>  }
>  
>  static void test1(void)

Oh, and if we're going to push it with the bug fix then can we please
add the bug tag?

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13791

Thanks...

peace & happiness,
martin

More information about the samba-technical mailing list