|
 |
a1c519 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
a1c519 |
From: Benjamin Marzinski <bmarzins@redhat.com>
|
|
|
a1c519 |
Date: Thu, 16 May 2019 13:31:35 -0500
|
|
|
a1c519 |
Subject: [PATCH] multipathd: fix REALLOC_REPLY with max length reply
|
|
|
a1c519 |
|
|
|
a1c519 |
Commit cd5a9797e added code to REALLOC_REPLY() that intended to stop
|
|
|
a1c519 |
growing the reply buffer after it reached a maximum size. However this
|
|
|
a1c519 |
coded didn't stop the realloc() from happening. Worse, if the realloci()
|
|
|
a1c519 |
failed, multipathd would double free the reply buffer. Found by
|
|
|
a1c519 |
Coverity.
|
|
|
a1c519 |
|
|
|
a1c519 |
Fixes: cd5a9797e "libmpathcmd(coverity): limit reply length"
|
|
|
a1c519 |
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
|
|
|
a1c519 |
---
|
|
|
a1c519 |
multipathd/cli.h | 17 +++++++++--------
|
|
|
a1c519 |
1 file changed, 9 insertions(+), 8 deletions(-)
|
|
|
a1c519 |
|
|
|
a1c519 |
diff --git a/multipathd/cli.h b/multipathd/cli.h
|
|
|
a1c519 |
index f3fa077..32dcffa 100644
|
|
|
a1c519 |
--- a/multipathd/cli.h
|
|
|
a1c519 |
+++ b/multipathd/cli.h
|
|
|
a1c519 |
@@ -100,15 +100,16 @@ enum {
|
|
|
a1c519 |
if (m >= MAX_REPLY_LEN) { \
|
|
|
a1c519 |
condlog(1, "Warning: max reply length exceeded"); \
|
|
|
a1c519 |
free(tmp); \
|
|
|
a1c519 |
- r = NULL; \
|
|
|
a1c519 |
+ (r) = NULL; \
|
|
|
a1c519 |
+ } else { \
|
|
|
a1c519 |
+ (r) = REALLOC((r), (m) * 2); \
|
|
|
a1c519 |
+ if ((r)) { \
|
|
|
a1c519 |
+ memset((r) + (m), 0, (m)); \
|
|
|
a1c519 |
+ (m) *= 2; \
|
|
|
a1c519 |
+ } \
|
|
|
a1c519 |
+ else \
|
|
|
a1c519 |
+ free(tmp); \
|
|
|
a1c519 |
} \
|
|
|
a1c519 |
- (r) = REALLOC((r), (m) * 2); \
|
|
|
a1c519 |
- if ((r)) { \
|
|
|
a1c519 |
- memset((r) + (m), 0, (m)); \
|
|
|
a1c519 |
- (m) *= 2; \
|
|
|
a1c519 |
- } \
|
|
|
a1c519 |
- else \
|
|
|
a1c519 |
- free(tmp); \
|
|
|
a1c519 |
} \
|
|
|
a1c519 |
} while (0)
|
|
|
a1c519 |
|
|
|
a1c519 |
--
|
|
|
a1c519 |
2.17.2
|
|
|
a1c519 |
|