multipath-tools/6026-libmultipath-fix-possible-WWID-overflow-in-parse_vpd.patch

From e8a63834f966cc605429c5b2ab3edc79a46c3bff Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwilck@suse.com>
Date: Mon, 24 Jun 2019 11:27:42 +0200
Subject: [PATCH 6/8] libmultipath: fix possible WWID overflow in
 parse_vpd_pg83()

We have to check the remaining length before printing to the
output buffer, not afterwards.

Fixes: 18176202e75c "Read wwid from sysfs vpg_pg83 attribute"
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
 libmultipath/discovery.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c
index c57369c..34d425b 100644
--- a/libmultipath/discovery.c
+++ b/libmultipath/discovery.c
@@ -1098,11 +1098,9 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,
 			int i;
 
 			len = sprintf(out, "%d", vpd_type);
-			for (i = 0; i < vpd_len; i++) {
+			for (i = 0; i < vpd_len && len < out_len - 2; i++) {
 				len += sprintf(out + len,
 					       "%02x", vpd[i]);
-				if (len >= out_len)
-					break;
 			}
 		} else if (vpd_type == 0x8) {
 			if (!memcmp("eui.", vpd, 4)) {
@@ -1110,27 +1108,19 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,
 				len = 1;
 				vpd += 4;
 				vpd_len -= 4;
-				for (i = 0; i < vpd_len; i++) {
+				for (i = 0; i < vpd_len && len < out_len - 1; i++) {
 					len += sprintf(out + len, "%c",
 						       tolower(vpd[i]));
-					if (len >= out_len)
-						break;
 				}
-				len = vpd_len + 1;
-				out[len] = '\0';
 			} else if (!memcmp("naa.", vpd, 4)) {
 				out[0] = '3';
 				len = 1;
 				vpd += 4;
 				vpd_len -= 4;
-				for (i = 0; i < vpd_len; i++) {
+				for (i = 0; i < vpd_len && len < out_len - 1; i++) {
 					len += sprintf(out + len, "%c",
 						       tolower(vpd[i]));
-					if (len >= out_len)
-						break;
 				}
-				len = vpd_len + 1;
-				out[len] = '\0';
 			} else {
 				out[0] = '8';
 				len = 1;
-- 
1.8.3.1
rename the package 2020-01-10 17:13:17 +08:00			`From e8a63834f966cc605429c5b2ab3edc79a46c3bff Mon Sep 17 00:00:00 2001`
			`From: Martin Wilck <mwilck@suse.com>`
			`Date: Mon, 24 Jun 2019 11:27:42 +0200`
			`Subject: [PATCH 6/8] libmultipath: fix possible WWID overflow in`
			`parse_vpd_pg83()`

			`We have to check the remaining length before printing to the`
			`output buffer, not afterwards.`

			`Fixes: 18176202e75c "Read wwid from sysfs vpg_pg83 attribute"`
			`Signed-off-by: Martin Wilck <mwilck@suse.com>`
			`---`
			`libmultipath/discovery.c \| 16 +++-------------`
			`1 file changed, 3 insertions(+), 13 deletions(-)`

			`diff --git a/libmultipath/discovery.c b/libmultipath/discovery.c`
			`index c57369c..34d425b 100644`
			`--- a/libmultipath/discovery.c`
			`+++ b/libmultipath/discovery.c`
			`@@ -1098,11 +1098,9 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,`
			`int i;`

			`len = sprintf(out, "%d", vpd_type);`
			`- for (i = 0; i < vpd_len; i++) {`
			`+ for (i = 0; i < vpd_len && len < out_len - 2; i++) {`
			`len += sprintf(out + len,`
			`"%02x", vpd[i]);`
			`- if (len >= out_len)`
			`- break;`
			`}`
			`} else if (vpd_type == 0x8) {`
			`if (!memcmp("eui.", vpd, 4)) {`
			`@@ -1110,27 +1108,19 @@ parse_vpd_pg83(const unsigned char *in, size_t in_len,`
			`len = 1;`
			`vpd += 4;`
			`vpd_len -= 4;`
			`- for (i = 0; i < vpd_len; i++) {`
			`+ for (i = 0; i < vpd_len && len < out_len - 1; i++) {`
			`len += sprintf(out + len, "%c",`
			`tolower(vpd[i]));`
			`- if (len >= out_len)`
			`- break;`
			`}`
			`- len = vpd_len + 1;`
			`- out[len] = '\0';`
			`} else if (!memcmp("naa.", vpd, 4)) {`
			`out[0] = '3';`
			`len = 1;`
			`vpd += 4;`
			`vpd_len -= 4;`
			`- for (i = 0; i < vpd_len; i++) {`
			`+ for (i = 0; i < vpd_len && len < out_len - 1; i++) {`
			`len += sprintf(out + len, "%c",`
			`tolower(vpd[i]));`
			`- if (len >= out_len)`
			`- break;`
			`}`
			`- len = vpd_len + 1;`
			`- out[len] = '\0';`
			`} else {`
			`out[0] = '8';`
			`len = 1;`
			`--`
			`1.8.3.1`