There is no guarantee that req->data is a string. Actually, the current code can cause a buffer overrun when, e.g., SD_OP_FORCE_RECOVER is requested. Signed-off-by: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp> --- include/util.h | 1 + lib/util.c | 16 ++++++++++++++++ sheep/request.c | 2 +- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/util.h b/include/util.h index 9545270..5976ef9 100644 --- a/include/util.h +++ b/include/util.h @@ -107,6 +107,7 @@ char *chomp(char *str); int rmdir_r(const char *dir_path); int purge_directory(const char *dir_path); bool is_numeric(const char *p); +const char *data_to_str(void *data, size_t data_length); int install_sighandler(int signum, void (*handler)(int), bool once); int install_crash_handler(void (*handler)(int)); void reraise_crash_signal(int signo, int status); diff --git a/lib/util.c b/lib/util.c index aa4ffb2..64753db 100644 --- a/lib/util.c +++ b/lib/util.c @@ -495,6 +495,22 @@ bool is_numeric(const char *s) } /* + * We regard 'data' as string when it contains '\0' in the first 256 characters. + */ +const char *data_to_str(void *data, size_t data_length) +{ + data_length = MIN(data_length, 256); + + if (data == NULL) + return "(null)"; + + if (memchr(data, '\0', data_length) != NULL) + return data; + + return "(not string)"; +} + +/* * If 'once' is true, the signal will be restored to the default state * after 'handler' is called. */ diff --git a/sheep/request.c b/sheep/request.c index d817205..fbaf645 100644 --- a/sheep/request.c +++ b/sheep/request.c @@ -771,7 +771,7 @@ static void rx_main(struct work *work) ci->conn.fd, ci->conn.ipstr, ci->conn.port, op_name(get_sd_op(req->rq.opcode)), - (char *)req->data); + data_to_str(req->data, req->rp.data_length)); } else { sd_debug("%d, %s:%d", ci->conn.fd, -- 1.7.10.4 |