Date: Tue, 27 Dec 2016 17:13:32 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r310633 - head/usr.sbin/ctld Message-ID: <201612271713.uBRHDWac098798@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Tue Dec 27 17:13:31 2016 New Revision: 310633 URL: https://svnweb.freebsd.org/changeset/base/310633 Log: Add MAX_LUNS overflow safety checks. While this MAX_LUNS limitation is too synthetic and should be removed, it is better to enforce it while it is here. MFC after: 2 weeks Modified: head/usr.sbin/ctld/parse.y head/usr.sbin/ctld/uclparse.c Modified: head/usr.sbin/ctld/parse.y ============================================================================== --- head/usr.sbin/ctld/parse.y Tue Dec 27 11:31:17 2016 (r310632) +++ head/usr.sbin/ctld/parse.y Tue Dec 27 17:13:31 2016 (r310633) @@ -821,6 +821,11 @@ lun_number: STR free($1); return (1); } + if (tmp >= MAX_LUNS) { + yyerror("LU number is too big"); + free($1); + return (1); + } ret = asprintf(&name, "%s,lun,%ju", target->t_name, tmp); if (ret <= 0) @@ -845,6 +850,11 @@ target_lun_ref: LUN STR STR return (1); } free($2); + if (tmp >= MAX_LUNS) { + yyerror("LU number is too big"); + free($3); + return (1); + } lun = lun_find(conf, $3); free($3); Modified: head/usr.sbin/ctld/uclparse.c ============================================================================== --- head/usr.sbin/ctld/uclparse.c Tue Dec 27 11:31:17 2016 (r310632) +++ head/usr.sbin/ctld/uclparse.c Tue Dec 27 17:13:31 2016 (r310633) @@ -183,18 +183,25 @@ static int uclparse_target_lun(struct target *target, const ucl_object_t *obj) { struct lun *lun; + uint64_t tmp; if (obj->type == UCL_INT) { char *name; - asprintf(&name, "%s,lun,%ju", target->t_name, - ucl_object_toint(obj)); + tmp = ucl_object_toint(obj); + if (tmp >= MAX_LUNS) { + log_warnx("LU number %ju in target \"%s\" is too big", + tmp, target->t_name); + return (1); + } + + asprintf(&name, "%s,lun,%ju", target->t_name, tmp); lun = lun_new(conf, name); if (lun == NULL) return (1); lun_set_scsiname(lun, name); - target->t_luns[ucl_object_toint(obj)] = lun; + target->t_luns[tmp] = lun; return (0); } @@ -207,6 +214,12 @@ uclparse_target_lun(struct target *targe "\"number\" integer property", target->t_name); return (1); } + tmp = ucl_object_toint(num); + if (tmp >= MAX_LUNS) { + log_warnx("LU number %ju in target \"%s\" is too big", + tmp, target->t_name); + return (1); + } if (name == NULL || name->type != UCL_STRING) { log_warnx("lun section in target \"%s\" is missing " @@ -218,7 +231,7 @@ uclparse_target_lun(struct target *targe if (lun == NULL) return (1); - target->t_luns[ucl_object_toint(num)] = lun; + target->t_luns[tmp] = lun; } return (0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612271713.uBRHDWac098798>