[dm-devel] [PATCH] multipathd: "show map mpathx json" would cause realloc error possibly
Benjamin Marzinski
bmarzins at redhat.com
Tue Nov 1 17:13:57 UTC 2016
On Tue, Nov 01, 2016 at 01:54:38PM +0800, tang.junhui at zte.com.cn wrote:
> A return value from calling snprintf() of size or more means
> that the output was truncated, so I think this patch solved a
> big problem, it avoids memory collapse.
ACK
It would probably also be smart to change all the
if (!TAIL)
break;
lines to
if (TAIL <= 0)
break;
just as an extra precaution.
-Ben
>
> > ������: tang.wenjun3 at zte.com.cn
> > �ռ���: Christophe Varoqui <christophe.varoqui at opensvc.com>,
> > ����: zhang.kai16 at zte.com.cn, dm-devel at redhat.com, 10144149
> <tang.wenjun3 at zte.com.cn>
> > ����: 2016-10-14 11:23
> > ����: [dm-devel] [PATCH] multipathd: "show map mpathx json" would
> cause realloc error possibly
> > ������: dm-devel-bounces at redhat.com
> >
> >
> >
> > From: 10144149 <tang.wenjun3 at zte.com.cn>
> >
> > Problem: multipathd dead when we run "show map spathx json" command with
> > system messages as follows:
> > Oct 13 11:37:30 rhel7-1 multipathd: *** Error in `/sbin/multipathd':
> realloc(): invalid next size: 0x00007f8cf8004210 ***
> > Oct 13 11:37:30 rhel7-1 multipathd: ======= Backtrace: =========
> > Oct 13 11:37:30 rhel7-1 multipathd:
> /lib64/libc.so.6(+0x7bc67)[0x7f8d06171c67]
> > Oct 13 11:37:30 rhel7-1 multipathd:
> /lib64/libc.so.6(+0x7fb17)[0x7f8d06175b17]
> > Oct 13 11:37:30 rhel7-1 multipathd:
> /lib64/libc.so.6(realloc+0xd2)[0x7f8d06176702]
> >
> > Reasons: in function snprint_multipath_fields_json
> > vector_foreach_slot (pgp->paths, pp, j) {
> > fwd += snprint_path(buff + fwd, len - fwd, PRINT_JSON_PATH, pp,
> 0);
> > if (fwd > len)
> > return fwd;
> >
> > fwd += snprint_json_elem_footer(buff + fwd,
> > len - fwd, 3, j + 1 == VECTOR_SIZE(pgp->paths));
> > if (fwd > len)
> > return fwd;
> > }
> >
> > snprint_path (char * line, int len, char * format, struct path * pp, int
> pad)
> >
> > when len - fwd = 0 , The len is not restricted in snprint_path��and the
> Memory of line is
> > rewritten in snprint_path, it cause realloc() failed , so fwd > len
> modify
> > fwd >= len.
> >
> > Other commands also have this type of risk.
> >
> > Signed-off-by: 10144149 <tang.wenjun3 at zte.com.cn>
> > ---
> > libmultipath/print.c | 131
> ++++++++++++++++++++++++++-------------------------
> > 1 file changed, 66 insertions(+), 65 deletions(-)
> >
> > diff --git a/libmultipath/print.c b/libmultipath/print.c
> > index 9aa41ad..78c065f 100644
> > --- a/libmultipath/print.c
> > +++ b/libmultipath/print.c
> > @@ -1004,11 +1004,11 @@ snprint_multipath_topology (char * buff, int
> len, struct multipath * mpp,
> > c += sprintf(c, "%c[%dm", 0x1B, 0);
> /* bold off */
> >
> > fwd += snprint_multipath(buff + fwd, len - fwd, style,
> mpp, 1);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > fwd += snprint_multipath(buff + fwd, len - fwd,
> PRINT_MAP_PROPS, mpp,
> >
> 1);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > if (!mpp->pg)
> > @@ -1022,7 +1022,7 @@ snprint_multipath_topology (char * buff, int len,
> struct multipath * mpp,
> > } else
> > strcpy(f, "`-+- "
> PRINT_PG_INDENT);
> > fwd += snprint_pathgroup(buff + fwd,
> len - fwd, fmt, pgp);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > vector_foreach_slot (pgp->paths, pp,
> i) {
> > @@ -1035,13 +1035,14 @@ snprint_multipath_topology (char * buff, int
> len, struct multipath * mpp,
> > else
> >
> strcpy(f, " `- " PRINT_PATH_INDENT);
> > fwd +=
> snprint_path(buff + fwd, len - fwd, fmt, pp, 1);
> > - if (fwd > len)
> > + if (fwd >= len)
> >
> return len;
> > }
> > }
> > return fwd;
> > }
> >
> > +
> > static int
> > snprint_json (char * buff, int len, int indent, char *json_str)
> > {
> > @@ -1049,7 +1050,7 @@ snprint_json (char * buff, int len, int indent,
> char *json_str)
> >
> > for (i = 0; i < indent; i++) {
> > fwd += snprintf(buff + fwd, len -
> fwd, PRINT_JSON_INDENT);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> > }
> >
> > @@ -1063,7 +1064,7 @@ snprint_json_header (char * buff, int len)
> > int fwd = 0;
> >
> > fwd += snprint_json(buff, len, 0,
> PRINT_JSON_START_ELEM);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprintf(buff + fwd, len - fwd,
> PRINT_JSON_START_VERSION,
> > @@ -1078,7 +1079,7 @@ snprint_json_elem_footer (char * buff, int len,
> int indent, int last)
> >
> > for (i = 0; i < indent; i++) {
> > fwd += snprintf(buff + fwd, len -
> fwd, PRINT_JSON_INDENT);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> > }
> >
> > @@ -1098,50 +1099,50 @@ snprint_multipath_fields_json (char * buff, int
> len,
> > struct pathgroup *pgp;
> >
> > fwd += snprint_multipath(buff, len, PRINT_JSON_MAP,
> mpp, 0);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 2,
> PRINT_JSON_START_GROUPS);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > vector_foreach_slot (mpp->pg, pgp, i) {
> >
> > pgp->selector = mpp->selector;
> > fwd += snprint_pathgroup(buff + fwd,
> len - fwd, PRINT_JSON_GROUP, pgp);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprintf(buff + fwd, len -
> fwd, PRINT_JSON_GROUP_NUM, i + 1);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprint_json(buff + fwd, len -
> fwd, 3, PRINT_JSON_START_PATHS);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > vector_foreach_slot (pgp->paths, pp,
> j) {
> > fwd +=
> snprint_path(buff + fwd, len - fwd, PRINT_JSON_PATH, pp, 0);
> > - if (fwd > len)
> > + if (fwd >= len)
> >
> return fwd;
> >
> > fwd +=
> snprint_json_elem_footer(buff + fwd,
> >
> len - fwd, 3, j + 1 == VECTOR_SIZE(pgp->paths));
> > - if (fwd > len)
> > + if (fwd >= len)
> >
> return fwd;
> > }
> > fwd += snprint_json(buff + fwd, len -
> fwd, 0, PRINT_JSON_END_ARRAY);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprint_json_elem_footer(buff
> + fwd,
> > len
> - fwd, 2, i + 1 == VECTOR_SIZE(mpp->pg));
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> > }
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0,
> PRINT_JSON_END_ARRAY);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return fwd;
> >
> > fwd += snprint_json_elem_footer(buff + fwd, len - fwd,
> 1, last);
> > @@ -1154,23 +1155,23 @@ snprint_multipath_map_json (char * buff, int
> len,
> > int fwd = 0;
> >
> > fwd += snprint_json_header(buff, len);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0,
> PRINT_JSON_START_MAP);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_multipath_fields_json(buff + fwd, len -
> fwd, mpp, 1);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0, "\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0,
> PRINT_JSON_END_LAST);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1182,26 +1183,26 @@ snprint_multipath_topology_json (char * buff,
> int len, struct vectors * vecs)
> > struct multipath * mpp;
> >
> > fwd += snprint_json_header(buff, len);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 1,
> PRINT_JSON_START_MAPS);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > vector_foreach_slot(vecs->mpvec, mpp, i) {
> > fwd +=
> snprint_multipath_fields_json(buff + fwd, len - fwd,
> >
> mpp, i + 1 == VECTOR_SIZE(vecs->mpvec));
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0,
> PRINT_JSON_END_ARRAY);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > fwd += snprint_json(buff + fwd, len - fwd, 0,
> PRINT_JSON_END_LAST);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1225,16 +1226,16 @@ snprint_hwentry (struct config *conf, char *
> buff, int len, struct hwentry * hwe
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "\tdevice
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > iterate_sub_keywords(rootkw, kw, i) {
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> > kw,
> hwe);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1252,15 +1253,15 @@ snprint_hwtable (struct config *conf, char *
> buff, int len, vector hwtable)
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "devices {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > vector_foreach_slot (hwtable, hwe, i) {
> > fwd += snprint_hwentry(conf, buff +
> fwd, len - fwd, hwe);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1278,16 +1279,16 @@ snprint_mpentry (struct config *conf, char *
> buff, int len, struct mpentry * mpe
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "\tmultipath
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > iterate_sub_keywords(rootkw, kw, i) {
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> > kw,
> mpe);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1305,15 +1306,15 @@ snprint_mptable (struct config *conf, char *
> buff, int len, vector mptable)
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "multipaths
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > vector_foreach_slot (mptable, mpe, i) {
> > fwd += snprint_mpentry(conf, buff +
> fwd, len - fwd, mpe);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1331,19 +1332,19 @@ snprint_overrides (struct config *conf, char *
> buff, int len, struct hwentry *ov
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "overrides
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > if (!overrides)
> > goto out;
> > iterate_sub_keywords(rootkw, kw, i) {
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, NULL);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > out:
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1361,17 +1362,17 @@ snprint_defaults (struct config *conf, char *
> buff, int len)
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "defaults
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > iterate_sub_keywords(rootkw, kw, i) {
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> > kw,
> NULL);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1508,7 +1509,7 @@ snprint_blacklist (struct config *conf, char *
> buff, int len)
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd, "blacklist
> {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > vector_foreach_slot (conf->blist_devnode, ble, i) {
> > @@ -1517,7 +1518,7 @@ snprint_blacklist (struct config *conf, char *
> buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ble);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > vector_foreach_slot (conf->blist_wwid, ble, i) {
> > @@ -1526,7 +1527,7 @@ snprint_blacklist (struct config *conf, char *
> buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ble);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > vector_foreach_slot (conf->blist_property, ble, i) {
> > @@ -1535,7 +1536,7 @@ snprint_blacklist (struct config *conf, char *
> buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ble);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > rootkw = find_keyword(conf->keywords, rootkw->sub,
> "device");
> > @@ -1544,28 +1545,28 @@ snprint_blacklist (struct config *conf, char *
> buff, int len)
> >
> > vector_foreach_slot (conf->blist_device, bled, i) {
> > fwd += snprintf(buff + fwd, len -
> fwd, "\tdevice {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > kw = find_keyword(conf->keywords,
> rootkw->sub, "vendor");
> > if (!kw)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> >
> kw, bled);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > kw = find_keyword(conf->keywords,
> rootkw->sub, "product");
> > if (!kw)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> >
> kw, bled);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > fwd += snprintf(buff + fwd, len -
> fwd, "\t}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1585,7 +1586,7 @@ snprint_blacklist_except (struct config *conf,
> char * buff, int len)
> > return 0;
> >
> > fwd += snprintf(buff + fwd, len - fwd,
> "blacklist_exceptions {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> >
> > vector_foreach_slot (conf->elist_devnode, ele, i) {
> > @@ -1594,7 +1595,7 @@ snprint_blacklist_except (struct config *conf,
> char * buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ele);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > vector_foreach_slot (conf->elist_wwid, ele, i) {
> > @@ -1603,7 +1604,7 @@ snprint_blacklist_except (struct config *conf,
> char * buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ele);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > vector_foreach_slot (conf->elist_property, ele, i) {
> > @@ -1612,7 +1613,7 @@ snprint_blacklist_except (struct config *conf,
> char * buff, int len)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t%k %v\n",
> >
> kw, ele);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > rootkw = find_keyword(conf->keywords, rootkw->sub,
> "device");
> > @@ -1621,28 +1622,28 @@ snprint_blacklist_except (struct config *conf,
> char * buff, int len)
> >
> > vector_foreach_slot (conf->elist_device, eled, i) {
> > fwd += snprintf(buff + fwd, len -
> fwd, "\tdevice {\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > kw = find_keyword(conf->keywords,
> rootkw->sub, "vendor");
> > if (!kw)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> >
> kw, eled);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > kw = find_keyword(conf->keywords,
> rootkw->sub, "product");
> > if (!kw)
> > return 0;
> > fwd += snprint_keyword(buff + fwd,
> len - fwd, "\t\t%k %v\n",
> >
> kw, eled);
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > fwd += snprintf(buff + fwd, len -
> fwd, "\t}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > }
> > fwd += snprintf(buff + fwd, len - fwd, "}\n");
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1674,7 +1675,7 @@ snprint_status (char * buff, int len, struct
> vectors *vecs)
> > fwd += snprintf(buff + fwd, len - fwd, "\npaths:
> %d\nbusy: %s\n",
> > monitored_count,
> is_uevent_busy()? "True" : "False");
> >
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > @@ -1740,7 +1741,7 @@ snprint_devices (struct config *conf, char * buff,
> int len, struct vectors *vecs
> > }
> > closedir(blkdir);
> >
> > - if (fwd > len)
> > + if (fwd >= len)
> > return len;
> > return fwd;
> > }
> > --
> > 2.8.1.windows.1
> >
> >
> > --
> > dm-devel mailing list
> > dm-devel at redhat.com
> > [1]https://www.redhat.com/mailman/listinfo/dm-devel
>
> References
>
> Visible links
> 1. https://www.redhat.com/mailman/listinfo/dm-devel
More information about the dm-devel
mailing list