Add array bounds checking in h_Enumerate

When hostList is not properly NULL-terminated, the current code does
not protect from buffer overflow.  The following patch prevents buffer
overflow, prints a message, and asserts.

On our Linux hosts, we never reached the original assert, as there is
a problem handling the segfault the buffer overflow causes.

FIXES 125506

Reviewed-on: http://gerrit.openafs.org/757
Reviewed-by: Dan Hyde <drh@umich.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit 93d48b1735b88b3051357307bdbebf5da9872d69)

Change-Id: Idb920d2bd309b40ae9bebc6972e614ddf9ba8dcc
Reviewed-on: http://gerrit.openafs.org/862
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/viced/host.c b/src/viced/host.c
index 4729774c0326dd812afcee5dc98821d104332e21..57fe1302b999acf107ea9cb2e9bdee575a4eb6b4 100644 (file)
--- a/src/viced/host.c
+++ b/src/viced/host.c
@@ -1072,15 +1072,17 @@ h_Enumerate(int (*proc) (), char *param)
        ViceLog(0, ("Failed malloc in h_Enumerate\n"));
        assert(0);
     }
-    for (count = 0, host = hostList; host; host = host->next, count++) {
+    for (count = 0, host = hostList; host && count < hostCount; host = host->next, count++) {
        list[count] = host;
        if (!(held[count] = h_Held_r(host)))
            h_Hold_r(host);
     }
     if (count != hostCount) {
        ViceLog(0, ("h_Enumerate found %d of %d hosts\n", count, hostCount));
+    } else if (host != NULL) {
+       ViceLog(0, ("h_Enumerate found more than %d hosts\n", hostCount));
+       assert(0);
     }
-    assert(count <= hostCount);
     H_UNLOCK;
     for (i = 0; i < count; i++) {
        held[i] = (*proc) (list[i], held[i], param);