From: Dan Hyde Date: Thu, 29 Oct 2009 16:07:47 +0000 (-0400) Subject: Add array bounds checking in h_Enumerate X-Git-Tag: openafs-devel-1_5_67~90 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=93d48b1735b88b3051357307bdbebf5da9872d69;p=packages%2Fo%2Fopenafs.git Add array bounds checking in h_Enumerate When hostList is not properly NULL-terminated, the current code does not protect from buffer overflow. The following patch prevents buffer overflow, prints a message, and asserts. On our Linux hosts, we never reached the original assert, as there is a problem handling the segfault the buffer overflow causes. FIXES 125506 Change-Id: Ifce92c593d17050e45add9e37a7a9ed4fbc377ef Reviewed-on: http://gerrit.openafs.org/757 Reviewed-by: Dan Hyde Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- diff --git a/src/viced/host.c b/src/viced/host.c index 9bd3b6ecd..73085392a 100644 --- a/src/viced/host.c +++ b/src/viced/host.c @@ -1005,14 +1005,16 @@ h_Enumerate(int (*proc) (struct host*, int, void *), void *param) ViceLog(0, ("Failed malloc in h_Enumerate (flags)\n")); assert(0); } - for (count = 0, host = hostList; host; host = host->next, count++) { + for (count = 0, host = hostList; host && count < hostCount; host = host->next, count++) { list[count] = host; h_Hold_r(host); } if (count != hostCount) { ViceLog(0, ("h_Enumerate found %d of %d hosts\n", count, hostCount)); + } else if (host != NULL) { + ViceLog(0, ("h_Enumerate found more than %d hosts\n", hostCount)); + assert(0); } - assert(count <= hostCount); H_UNLOCK; for (i = 0; i < count; i++) { flags[i] = (*proc) (list[i], flags[i], param);