[Pvfs2-cvs] commit by mtmoore in pvfs2/src/server: del-eattr.sm get-eattr.sm list-eattr.sm set-eattr.sm

CVS commit program cvs at parl.clemson.edu
Fri Feb 25 17:20:48 EST 2011


Update of /projects/cvsroot/pvfs2/src/server
In directory parlweb1:/tmp/cvs-serv30157/src/server

Modified Files:
      Tag: Orange-Branch
	del-eattr.sm get-eattr.sm list-eattr.sm set-eattr.sm 
Log Message:
fix to segfault in list-eattr if client provides too large of buffer, found by Mike Marshall. Also includes other changes to enforce attribute name, value and list lengths for eattr operations on the server side and list-eattr on the client side.


Index: del-eattr.sm
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/server/del-eattr.sm,v
diff -p -u -r1.16 -r1.16.10.1
--- del-eattr.sm	20 Nov 2008 01:17:10 -0000	1.16
+++ del-eattr.sm	25 Feb 2011 22:20:48 -0000	1.16.10.1
@@ -77,6 +77,13 @@ static PINT_sm_action deleattr_verify_ea
                  PINT_util_get_object_type(a_p->objtype),
                  a_p->owner, a_p->group, a_p->perms, a_p->objtype);
 
+
+    if( s_op->req->u.deleattr.key.buffer_sz > PVFS_MAX_XATTR_NAMELEN )
+    {
+        js_p->error_code = -PVFS_EINVAL;
+        return SM_ACTION_COMPLETE;
+    }
+
     switch (a_p->objtype)
     {
     case PVFS_TYPE_METAFILE :

Index: get-eattr.sm
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/server/get-eattr.sm,v
diff -p -u -r1.21 -r1.21.10.1
--- get-eattr.sm	20 Nov 2008 01:17:10 -0000	1.21
+++ get-eattr.sm	25 Feb 2011 22:20:48 -0000	1.21.10.1
@@ -85,11 +85,25 @@ static PINT_sm_action geteattr_setup_res
 
     js_p->error_code = 0;
 
+    /* ensure not too many keys were requested */
+    if( s_op->req->u.geteattr.nkey > PVFS_MAX_XATTR_LISTLEN )
+    {
+        js_p->error_code = -PVFS_EINVAL;
+        return SM_ACTION_COMPLETE;
+    }
+
     /* iterate through the keys and see if they fall into valid name spaces */
     for(i=0; i<s_op->req->u.geteattr.nkey; i++)
     {
         gossip_debug(GOSSIP_GETEATTR_DEBUG, "geteattr key %d : %s\n", i, 
                 (char *) s_op->req->u.geteattr.key[i].buffer);
+
+        /* ensure no buffer_sz is too larger */
+        if( s_op->req->u.geteattr.key[i].buffer_sz > PVFS_MAX_XATTR_NAMELEN )
+        {
+            js_p->error_code = -PVFS_EINVAL;
+            return SM_ACTION_COMPLETE;
+        }
 
         js_p->error_code = PINT_eattr_check_access(
             &s_op->req->u.geteattr.key[i],

Index: list-eattr.sm
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/server/list-eattr.sm,v
diff -p -u -r1.14 -r1.14.10.1
--- list-eattr.sm	20 Nov 2008 01:17:10 -0000	1.14
+++ list-eattr.sm	25 Feb 2011 22:20:48 -0000	1.14.10.1
@@ -84,6 +84,30 @@ static PINT_sm_action listeattr_setup_re
 
     js_p->error_code = 0;
 
+    /* ensure not too many keys were requested */
+    if( s_op->req->u.listeattr.nkey > PVFS_MAX_XATTR_LISTLEN )
+    {
+        js_p->error_code = -PVFS_EINVAL;
+        return SM_ACTION_COMPLETE;
+    }
+
+    /* enforce that no key size be larger than PVFS_MAX_XATTR_NAMELEN.
+     * Otherwise, when a blind memcpy happens inside dbpf based on the key 
+     * size we won't over run our fixed length buffer. fixed buffer size is: 
+     * PVFS_NAME_MAX ==  DBPF_MAX_KEY_LENGTH == PVFS_MAX_XATTR_NAMELEN */
+    for( i = 0; i < s_op->req->u.listeattr.nkey; i++)
+    {
+        if( s_op->req->u.listeattr.keysz[i] > PVFS_MAX_XATTR_NAMELEN )
+        {
+             gossip_debug(GOSSIP_LISTEATTR_DEBUG, "%s: requested key %d "
+                          "size of %ld is greater than maximum of %d\n",
+                          __func__, i, (int64_t)s_op->req->u.listeattr.keysz[i],
+                          PVFS_MAX_XATTR_NAMELEN );
+            js_p->error_code = -PVFS_EINVAL;
+            return SM_ACTION_COMPLETE;
+        }
+    }
+
     s_op->resp.u.listeattr.key =
         malloc(s_op->req->u.listeattr.nkey * sizeof(PVFS_ds_keyval));
     if (!s_op->resp.u.listeattr.key)
@@ -93,8 +117,11 @@ static PINT_sm_action listeattr_setup_re
     }
 
     s_op->resp.u.listeattr.nkey = s_op->req->u.listeattr.nkey;
+
     for (i = 0, tsz = 0; i < s_op->req->u.listeattr.nkey; i++)
+    {
         tsz += s_op->req->u.listeattr.keysz[i];
+    }
     s_op->u.eattr.buffer = malloc(tsz);
     if (!s_op->u.eattr.buffer)
     {

Index: set-eattr.sm
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/server/set-eattr.sm,v
diff -p -u -r1.21.10.4 -r1.21.10.5
--- set-eattr.sm	31 Aug 2010 19:05:32 -0000	1.21.10.4
+++ set-eattr.sm	25 Feb 2011 22:20:48 -0000	1.21.10.5
@@ -127,6 +127,27 @@ static int seteattr_verify_eattribs(
                  PINT_util_get_object_type(a_p->objtype),
                  a_p->owner, a_p->group, a_p->perms, a_p->objtype);
 
+    if( s_op->req->u.seteattr.nkey > PVFS_MAX_XATTR_LISTLEN  )
+    {
+        js_p->error_code = -PVFS_EINVAL;
+        return SM_ACTION_COMPLETE;
+    }
+
+    for( i = 0; i < s_op->req->u.seteattr.nkey; i++ )
+    {
+        if( s_op->req->u.seteattr.key[i].buffer_sz > PVFS_MAX_XATTR_NAMELEN )
+        {
+            js_p->error_code = -PVFS_EINVAL;
+            return SM_ACTION_COMPLETE;
+        }
+
+        if( s_op->req->u.seteattr.val[i].buffer_sz > PVFS_MAX_XATTR_VALUELEN )
+        {
+            js_p->error_code = -PVFS_EINVAL;
+            return SM_ACTION_COMPLETE;
+        }
+    }
+
     /* iterate through the keys that are being written */
     int j = 0;
     char *valBuf = NULL;



More information about the Pvfs2-cvs mailing list