[dm-devel] [PATCH v3 07/19] libmultipath: fix length issues in get_vpd_sgio

[Martin Wilck]

On Fri, 2018-09-21 at 18:05 -0500, Benjamin Marzinski wrote:
> When get_vpd_sgio() finds out that the vpd info needed to be
> truncated
> to fit in the buffer, it doesn't trucate the size as well,  which
> allows
> it to overwrite the buffer. Also, in once len is set to -ENODATA,
> get_vpd_sgio() should exit, instead of using the negative len in
> memcpy(). Found by coverity.
> 
> Signed-off-by: Benjamin Marzinski <bmarzins at redhat.com>

Reviewed-by: Martin Wilck <mwilck at suse.com>


> ---
>  libmultipath/discovery.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
> index 0b1855d..3e0db7f 100644
> --- a/libmultipath/discovery.c
> +++ b/libmultipath/discovery.c
> @@ -1116,17 +1116,21 @@ get_vpd_sgio (int fd, int pg, char * str, int
> maxlen)
>  		return -ENODATA;
>  	}
>  	buff_len = get_unaligned_be16(&buff[2]) + 4;
> -	if (buff_len > 4096)
> +	if (buff_len > 4096) {
>  		condlog(3, "vpd pg%02x page truncated", pg);
> -
> +		buff_len = 4096;
> +	}
>  	if (pg == 0x80)
>  		len = parse_vpd_pg80(buff, str, maxlen);
>  	else if (pg == 0x83)
>  		len = parse_vpd_pg83(buff, buff_len, str, maxlen);
>  	else if (pg == 0xc9 && maxlen >= 8) {
> -		len = buff_len < 8 ? -ENODATA :
> -			(buff_len <= maxlen ? buff_len : maxlen);
> -		memcpy (str, buff, len);
> +		if (buff_len < 8)
> +			len = -ENODATA;
> +		else {
> +			len = (buff_len <= maxlen)? buff_len : maxlen;
> +			memcpy (str, buff, len);
> +		}
>  	} else
>  		len = -ENOSYS;
>  

-- 
Dr. Martin Wilck <mwilck at suse.com>, Tel. +49 (0)911 74053 2107
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)