[pve-devel] applied: [PATCH cluster] pmxcfs server: fix off-by-one error when ensuring string NUL termination

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Aug 30 14:43:18 CEST 2019


done once, then copied over by copy-is-my-hobby, once by me too :)

While this is in the relative big SHM we get from the libqb backed
IPC mechanisms, and thus there's a really really low chance to hit a
corruption of another following data element here, it's still a
possibility.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 data/src/server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/src/server.c b/data/src/server.c
index 6371edb..36acc1d 100644
--- a/data/src/server.c
+++ b/data/src/server.c
@@ -245,7 +245,7 @@ static int32_t s1_msg_process_fn(
 			result = -EINVAL;
 		} else {
 			/* make sure path is 0 terminated */
-			((char *)data)[request_size] = 0;
+			((char *)data)[request_size - 1] = 0;
 			char *path = (char*) data + sizeof(struct qb_ipc_request_header);
 
 			if (ctx->read_only &&  path_is_private(path)) {
@@ -305,7 +305,7 @@ static int32_t s1_msg_process_fn(
 			result = -EINVAL;
 		} else {
 			/* make sure user string is 0 terminated */
-			((char *)data)[request_size] = 0;
+			((char *)data)[request_size - 1] = 0;
 			char *user = (char*) data + sizeof(cfs_log_get_request_header_t);
 
 			uint32_t max = rh->max_entries ?  rh->max_entries : 50;
@@ -337,7 +337,7 @@ static int32_t s1_msg_process_fn(
 			cfs_debug("proplen <= 0, %d", proplen);
 			result = -EINVAL;
 		} else {
-			((char *)data)[request_size] = 0; // ensure property is 0 terminated
+			((char *)data)[request_size - 1] = 0; // ensure property is 0 terminated
 
 			cfs_debug("cfs_get_guest_config_property: basic valid checked, do request");
 
-- 
2.20.1




More information about the pve-devel mailing list