[dm-devel] [PATCH 16/39] libmultipath: fixup possible buffer overflow in alua_rtpg.c

[Hannes Reinecke]

We need to reserve an additional 4 bytes for the length of
the response buffer, so add a proper range check to avoid
accidental wrap-arounds.
Found by coverity.

Signed-off-by: Hannes Reinecke <hare at suse.com>
---
 libmultipath/prioritizers/alua_rtpg.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libmultipath/prioritizers/alua_rtpg.c b/libmultipath/prioritizers/alua_rtpg.c
index 636aae5..22b0d4f 100644
--- a/libmultipath/prioritizers/alua_rtpg.c
+++ b/libmultipath/prioritizers/alua_rtpg.c
@@ -15,6 +15,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <sys/ioctl.h>
 #include <inttypes.h>
 #include <libudev.h>
@@ -219,6 +220,9 @@ get_target_port_group(struct path * pp)
 			goto out;
 
 		scsi_buflen = (buf[2] << 8 | buf[3]) + 4;
+		/* Paranoia */
+		if (scsi_buflen >= USHRT_MAX)
+			scsi_buflen = USHRT_MAX;
 		if (buflen < scsi_buflen) {
 			free(buf);
 			buf = (unsigned char *)malloc(scsi_buflen);
@@ -303,7 +307,7 @@ get_asymmetric_access_state(int fd, unsigned int tpg)
 	struct rtpg_tpg_dscr *	dscr;
 	int			rc;
 	int			buflen;
-	uint32_t		scsi_buflen;
+	uint64_t		scsi_buflen;
 
 	buflen = 4096;
 	buf = (unsigned char *)malloc(buflen);
@@ -317,6 +321,8 @@ get_asymmetric_access_state(int fd, unsigned int tpg)
 	if (rc < 0)
 		goto out;
 	scsi_buflen = (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) + 4;
+	if (scsi_buflen > UINT_MAX)
+		scsi_buflen = UINT_MAX;
 	if (buflen < scsi_buflen) {
 		free(buf);
 		buf = (unsigned char *)malloc(scsi_buflen);
-- 
2.6.6