diff options
author | Swen Schillig <swen@linux.ibm.com> | 2019-02-15 14:34:05 +0100 |
---|---|---|
committer | Martin Schwenke <martins@samba.org> | 2019-02-22 02:08:07 +0100 |
commit | fa8e69ac9538980c441b7fbefe0979027ecc8eac (patch) | |
tree | 228d14e7aade74d9d6040c0519e19f47509deea2 /ctdb/common | |
parent | cbf23f2b0fbc7705f6050ddc8b0b925132c4a290 (diff) | |
download | samba-fa8e69ac9538980c441b7fbefe0979027ecc8eac.tar.gz |
ctdb: buffer write beyond limits
In order to calculate the number of bytes correctly which
are to be read into the buffer, the buffer.offset must be taken
into account.
This patch fixes a regression introduced by 382705f495dd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13791
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Diffstat (limited to 'ctdb/common')
-rw-r--r-- | ctdb/common/ctdb_io.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/ctdb/common/ctdb_io.c b/ctdb/common/ctdb_io.c index d86540762ea..c16eb7f67b7 100644 --- a/ctdb/common/ctdb_io.c +++ b/ctdb/common/ctdb_io.c @@ -164,6 +164,7 @@ static void queue_io_read(struct ctdb_queue *queue) { int num_ready = 0; uint32_t pkt_size = 0; + uint32_t start_offset; ssize_t nread; uint8_t *data; @@ -226,7 +227,17 @@ buffer_shift: } data_read: - num_ready = MIN(num_ready, queue->buffer.size - queue->buffer.length); + start_offset = queue->buffer.length + queue->buffer.offset; + if (start_offset < queue->buffer.length) { + DBG_ERR("Buffer overflow\n"); + goto failed; + } + if (start_offset > queue->buffer.size) { + DBG_ERR("Buffer overflow\n"); + goto failed; + } + + num_ready = MIN(num_ready, queue->buffer.size - start_offset); if (num_ready > 0) { nread = sys_read(queue->fd, |