[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[dm-devel] [PATCH] dm-ioctl.c: Don't overrun ioctl buffer

In retrieve_status(), we should make sure there is still space remaining in 
the ioctl buffer before calling the target's status() routine. In devices 
with lots of targets, this can cause a segfault when getting the device 
status or table from user-space.

Create a device with 500 linear targets. Then get the status or table for that 
device. Either one will cause a segfault in retrieve_status(). For me it's 
usually around the 334th target.

for ((a=0; $a<500; a=$a+1))
   echo "$a 1 linear /dev/hdb1 0" >> 500_linears
dmsetup create 500_linears 500_linears
dmsetup status 500_linears

Looks like 2.4 could use this patch as well.

Kevin Corry
kevcorry us ibm com

In retrieve_status(), make sure we don't overrun the ioctl buffer.

--- diff/drivers/md/dm-ioctl.c	2004-04-05 15:18:48.000000000 -0500
+++ source/drivers/md/dm-ioctl.c	2004-04-05 15:18:35.000000000 -0500
@@ -815,6 +815,10 @@
 		outptr += sizeof(struct dm_target_spec);
 		remaining = len - (outptr - outbuf);
+		if (remaining <= 0) {
+			param->flags |= DM_BUFFER_FULL_FLAG;
+			break;
+		}
 		/* Get the status/table string from the target driver */
 		if (ti->type->status) {

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]