[dm-devel] [PATCH 18/39] libmpathcmd: limit size of the CLI buffer
Hannes Reinecke
hare at suse.de
Thu Jun 16 09:47:24 UTC 2016
A malicious program might inject a large buffer via the CLI and
causing the daemon to abort due to OOM.
So limit the maximum CLI buffer size to 64k.
Found by coverity.
Signed-off-by: Hannes Reinecke <hare at suse.com>
---
libmpathcmd/mpath_cmd.c | 2 ++
libmpathcmd/mpath_cmd.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/libmpathcmd/mpath_cmd.c b/libmpathcmd/mpath_cmd.c
index 1aaf5ea..2290ecb 100644
--- a/libmpathcmd/mpath_cmd.c
+++ b/libmpathcmd/mpath_cmd.c
@@ -142,6 +142,8 @@ int mpath_recv_reply(int fd, char **reply, unsigned int timeout)
len = mpath_recv_reply_len(fd, timeout);
if (len <= 0)
return len;
+ if (len > MAX_REPLY_LEN)
+ return -EINVAL;
*reply = malloc(len);
if (!*reply)
return -1;
diff --git a/libmpathcmd/mpath_cmd.h b/libmpathcmd/mpath_cmd.h
index 4ec0291..f33f000 100644
--- a/libmpathcmd/mpath_cmd.h
+++ b/libmpathcmd/mpath_cmd.h
@@ -28,6 +28,7 @@ extern "C" {
#define DEFAULT_SOCKET "/org/kernel/linux/storage/multipathd"
#define DEFAULT_REPLY_TIMEOUT 1000
+#define MAX_REPLY_LEN 65536
/*
--
2.6.6
More information about the dm-devel
mailing list