diff options
| author | Amitay Isaacs <amitay@gmail.com> | 2016-05-03 13:20:53 +1000 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2016-06-18 19:33:14 +0200 |
| commit | e17396442a99504f559031dfaa03d08f9ad84616 (patch) | |
| tree | 07e17aaec893a40fd9b1610cc49ef1657f9c44b0 /ctdb/protocol | |
| parent | e3e8ce4b81d617b50f91e238d4e93a5075735658 (diff) | |
| download | samba-e17396442a99504f559031dfaa03d08f9ad84616.tar.gz | |
ctdb-protocol: Add checks to validate data on wire before unmarshaling
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Diffstat (limited to 'ctdb/protocol')
| -rw-r--r-- | ctdb/protocol/protocol_types.c | 155 |
1 files changed, 149 insertions, 6 deletions
diff --git a/ctdb/protocol/protocol_types.c b/ctdb/protocol/protocol_types.c index d1890cf608e..d06d4407a1c 100644 --- a/ctdb/protocol/protocol_types.c +++ b/ctdb/protocol/protocol_types.c @@ -255,7 +255,12 @@ int ctdb_stringn_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(uint32_t)) { return EMSGSIZE; } - + if (wire->length > buflen) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) { + return EMSGSIZE; + } if (buflen < sizeof(uint32_t) + wire->length) { return EMSGSIZE; } @@ -331,6 +336,14 @@ int ctdb_statistics_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_statistics_list_wire, stats)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_statistics)) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_statistics_list_wire, stats) + + wire->num * sizeof(struct ctdb_statistics) < + offsetof(struct ctdb_statistics_list_wire, stats)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_statistics_list_wire, stats) + wire->num * sizeof(struct ctdb_statistics)) { return EMSGSIZE; @@ -386,6 +399,14 @@ int ctdb_vnn_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_vnn_map_wire, map)) { return EMSGSIZE; } + if (wire->size > buflen / sizeof(uint32_t)) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_vnn_map_wire, map) + + wire->size * sizeof(uint32_t) < + offsetof(struct ctdb_vnn_map_wire, map)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_vnn_map_wire, map) + wire->size * sizeof(uint32_t)) { return EMSGSIZE; @@ -436,6 +457,13 @@ int ctdb_dbid_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(uint32_t)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_dbid)) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid) < + sizeof(uint32_t)) { + return EMSGSIZE; + } if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_dbid)) { return EMSGSIZE; } @@ -597,14 +625,25 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen, size_t *reclen) { struct ctdb_rec_data_wire *wire = (struct ctdb_rec_data_wire *)buf; - size_t offset, n; + size_t offset; if (buflen < offsetof(struct ctdb_rec_data_wire, data)) { return EMSGSIZE; } - n = offsetof(struct ctdb_rec_data_wire, data) + - wire->keylen + wire->datalen; - if (buflen < n) { + if (wire->keylen > buflen || wire->datalen > buflen) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_rec_data_wire, data) + wire->keylen < + offsetof(struct ctdb_rec_data_wire, data)) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_rec_data_wire, data) + + wire->keylen + wire->datalen < + offsetof(struct ctdb_rec_data_wire, data)) { + return EMSGSIZE; + } + if (buflen < offsetof(struct ctdb_rec_data_wire, data) + + wire->keylen + wire->datalen) { return EMSGSIZE; } @@ -622,7 +661,8 @@ static int ctdb_rec_data_pull_data(uint8_t *buf, size_t buflen, data->dsize = wire->datalen; data->dptr = &wire->data[offset]; - *reclen = n; + *reclen = offsetof(struct ctdb_rec_data_wire, data) + + wire->keylen + wire->datalen; return 0; } @@ -1111,6 +1151,13 @@ int ctdb_tunable_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_tunable_wire, name)) { return EMSGSIZE; } + if (wire->length > buflen) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_tunable_wire, name) + wire->length < + offsetof(struct ctdb_tunable_wire, name)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_tunable_wire, name) + wire->length) { return EMSGSIZE; } @@ -1205,6 +1252,12 @@ int ctdb_var_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(uint32_t)) { return EMSGSIZE; } + if (wire->length > buflen) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->length < sizeof(uint32_t)) { + return EMSGSIZE; + } if (buflen < sizeof(uint32_t) + wire->length) { return EMSGSIZE; } @@ -1315,6 +1368,14 @@ int ctdb_tickle_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_tickle_list_wire, conn)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_connection)) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_tickle_list_wire, conn) + + wire->num * sizeof(struct ctdb_connection) < + offsetof(struct ctdb_tickle_list_wire, conn)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_tickle_list_wire, conn) + wire->num * sizeof(struct ctdb_connection)) { return EMSGSIZE; @@ -1392,6 +1453,13 @@ int ctdb_addr_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_addr_info_wire, iface)) { return EMSGSIZE; } + if (wire->len > buflen) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_addr_info_wire, iface) + wire->len < + offsetof(struct ctdb_addr_info_wire, iface)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_addr_info_wire, iface) + wire->len) { return EMSGSIZE; } @@ -1565,6 +1633,13 @@ int ctdb_public_ip_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(uint32_t)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_public_ip)) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_public_ip) < + sizeof(uint32_t)) { + return EMSGSIZE; + } if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_public_ip)) { return EMSGSIZE; @@ -1682,6 +1757,21 @@ int ctdb_node_map_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, int i; bool ret; + if (buflen < sizeof(uint32_t)) { + return EMSGSIZE; + } + if (wire->num > buflen / sizeof(struct ctdb_node_and_flags)) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_node_and_flags) < + sizeof(uint32_t)) { + return EMSGSIZE; + } + if (buflen < sizeof(uint32_t) + + wire->num * sizeof(struct ctdb_node_and_flags)) { + return EMSGSIZE; + } + nodemap = talloc(mem_ctx, struct ctdb_node_map); if (nodemap == NULL) { return ENOMEM; @@ -1817,6 +1907,12 @@ int ctdb_script_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offset) { return EMSGSIZE; } + if (wire->num_scripts > buflen / sizeof(struct ctdb_script)) { + return EMSGSIZE; + } + if (offset + wire->num_scripts * sizeof(struct ctdb_script) < offset) { + return EMSGSIZE; + } if (buflen < offset + wire->num_scripts * sizeof(struct ctdb_script)) { return EMSGSIZE; } @@ -1938,6 +2034,13 @@ int ctdb_notify_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_notify_data_wire, data)) { return EMSGSIZE; } + if (wire->len > buflen) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_notify_data_wire, data) + wire->len < + offsetof(struct ctdb_notify_data_wire, data)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_notify_data_wire, data) + wire->len) { return EMSGSIZE; } @@ -2033,6 +2136,13 @@ int ctdb_iface_list_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(uint32_t)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_iface)) { + return EMSGSIZE; + } + if (sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface) < + sizeof(uint32_t)) { + return EMSGSIZE; + } if (buflen < sizeof(uint32_t) + wire->num * sizeof(struct ctdb_iface)) { return EMSGSIZE; } @@ -2093,6 +2203,18 @@ int ctdb_public_ip_info_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces)) { return EMSGSIZE; } + if (wire->num > buflen / sizeof(struct ctdb_iface)) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_public_ip_info_wire, ifaces) + + wire->num * sizeof(struct ctdb_iface) < + offsetof(struct ctdb_public_ip_info_wire, ifaces)) { + return EMSGSIZE; + } + if (buflen < offsetof(struct ctdb_public_ip_info_wire, ifaces) + + wire->num * sizeof(struct ctdb_iface)) { + return EMSGSIZE; + } ipinfo = talloc(mem_ctx, struct ctdb_public_ip_info); if (ipinfo == NULL) { @@ -2152,6 +2274,13 @@ int ctdb_key_data_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < offsetof(struct ctdb_key_data_wire, key)) { return EMSGSIZE; } + if (wire->keylen > buflen) { + return EMSGSIZE; + } + if (offsetof(struct ctdb_key_data_wire, key) + wire->keylen < + offsetof(struct ctdb_key_data_wire, key)) { + return EMSGSIZE; + } if (buflen < offsetof(struct ctdb_key_data_wire, key) + wire->keylen) { return EMSGSIZE; } @@ -2222,9 +2351,23 @@ int ctdb_db_statistics_pull(uint8_t *buf, size_t buflen, TALLOC_CTX *mem_ctx, if (buflen < sizeof(struct ctdb_db_statistics)) { return EMSGSIZE; } + offset = 0; for (i=0; i<wire->dbstats.num_hot_keys; i++) { + if (wire->dbstats.hot_keys[i].key.dsize > buflen) { + return EMSGSIZE; + } + if (offset + wire->dbstats.hot_keys[i].key.dsize < offset) { + return EMSGSIZE; + } offset += wire->dbstats.hot_keys[i].key.dsize; + if (offset > buflen) { + return EMSGSIZE; + } + } + if (sizeof(struct ctdb_db_statistics) + offset < + sizeof(struct ctdb_db_statistics)) { + return EMSGSIZE; } if (buflen < sizeof(struct ctdb_db_statistics) + offset) { return EMSGSIZE; |