From 93d48b1735b88b3051357307bdbebf5da9872d69 Mon Sep 17 00:00:00 2001 From: Dan Hyde Date: Thu, 29 Oct 2009 12:07:47 -0400 Subject: [PATCH] Add array bounds checking in h_Enumerate When hostList is not properly NULL-terminated, the current code does not protect from buffer overflow. The following patch prevents buffer overflow, prints a message, and asserts. On our Linux hosts, we never reached the original assert, as there is a problem handling the segfault the buffer overflow causes. FIXES 125506 Change-Id: Ifce92c593d17050e45add9e37a7a9ed4fbc377ef Reviewed-on: http://gerrit.openafs.org/757 Reviewed-by: Dan Hyde Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- src/viced/host.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/viced/host.c b/src/viced/host.c index 9bd3b6ecd..73085392a 100644 --- a/src/viced/host.c +++ b/src/viced/host.c @@ -1005,14 +1005,16 @@ h_Enumerate(int (*proc) (struct host*, int, void *), void *param) ViceLog(0, ("Failed malloc in h_Enumerate (flags)\n")); assert(0); } - for (count = 0, host = hostList; host; host = host->next, count++) { + for (count = 0, host = hostList; host && count < hostCount; host = host->next, count++) { list[count] = host; h_Hold_r(host); } if (count != hostCount) { ViceLog(0, ("h_Enumerate found %d of %d hosts\n", count, hostCount)); + } else if (host != NULL) { + ViceLog(0, ("h_Enumerate found more than %d hosts\n", hostCount)); + assert(0); } - assert(count <= hostCount); H_UNLOCK; for (i = 0; i < count; i++) { flags[i] = (*proc) (list[i], flags[i], param); -- 2.39.5