[sheepdog] [PATCH stable-0.7 2/5] sheep: add helper function to make sure that req->data is string

Hitoshi Mitake mitake.hitoshi at lab.ntt.co.jp
Mon Feb 24 07:06:23 CET 2014


From: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>

There is no guarantee that req->data is a string.  Actually, the
current code can cause a buffer overrun when, e.g.,
SD_OP_FORCE_RECOVER is requested.

Signed-off-by: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
Signed-off-by: Liu Yuan <namei.unix at gmail.com>
---
 include/util.h  |    1 +
 lib/util.c      |   16 ++++++++++++++++
 sheep/request.c |    2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/include/util.h b/include/util.h
index e0cc0c5..7528a5d 100644
--- a/include/util.h
+++ b/include/util.h
@@ -107,6 +107,7 @@ void pstrcpy(char *buf, int buf_size, const char *str);
 int rmdir_r(char *dir_path);
 int purge_directory(char *dir_path);
 bool is_numeric(const char *p);
+const char *data_to_str(void *data, size_t data_length);
 int install_sighandler(int signum, void (*handler)(int), bool once);
 int install_crash_handler(void (*handler)(int));
 void reraise_crash_signal(int signo, int status);
diff --git a/lib/util.c b/lib/util.c
index 9781fd8..5d448aa 100644
--- a/lib/util.c
+++ b/lib/util.c
@@ -486,6 +486,22 @@ bool is_numeric(const char *s)
 }
 
 /*
+ * We regard 'data' as string when it contains '\0' in the first 256 characters.
+ */
+const char *data_to_str(void *data, size_t data_length)
+{
+	data_length = MIN(data_length, 256);
+
+	if (data == NULL)
+		return "(null)";
+
+	if (memchr(data, '\0', data_length) != NULL)
+		return data;
+
+	return "(not string)";
+}
+
+/*
  * If 'once' is true, the signal will be restored to the default state
  * after 'handler' is called.
  */
diff --git a/sheep/request.c b/sheep/request.c
index fbdc904..87286b0 100644
--- a/sheep/request.c
+++ b/sheep/request.c
@@ -586,7 +586,7 @@ static void rx_main(struct work *work)
 			ci->conn.fd,
 			ci->conn.ipstr, ci->conn.port,
 			op_name(get_sd_op(req->rq.opcode)),
-			(char *)req->data);
+			data_to_str(req->data, req->rp.data_length));
 	} else {
 		sd_debug("%d, %s:%d",
 			 ci->conn.fd,
-- 
1.7.10.4




More information about the sheepdog mailing list