repositories / deb_libnfs.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix potential overflow in nfs_pread_mcb
[deb_libnfs.git] / lib / libnfs.c
diff --git a/lib/libnfs.c b/lib/libnfs.c
index b2a53508b82ec85d1d6619b1bbe56becd15ca68b..4f0650f41abbe9ccca78bfc7a01fece238b9e706 100644 (file)
--- a/lib/libnfs.c
+++ b/lib/libnfs.c
@@ -524,27 +524,16 @@ int rpc_connect_program_async(struct rpc_context *rpc, char *server, int program
        return 0;
 }
 
-void free_nfs_cb_data(struct nfs_cb_data *data)
+static void free_nfs_cb_data(struct nfs_cb_data *data)
 {
-       if (data->saved_path != NULL) {
-               free(data->saved_path);
-               data->saved_path = NULL;
-       }
-
        if (data->continue_data != NULL) {
+               assert(data->free_continue_data);
                data->free_continue_data(data->continue_data);
-               data->continue_data = NULL;
        }
 
-       if (data->fh.data.data_val != NULL) {
-               free(data->fh.data.data_val);
-               data->fh.data.data_val = NULL;
-       }
-
-       if (data->buffer != NULL) {
-               free(data->buffer);
-               data->buffer = NULL;
-       }
+       free(data->saved_path);
+       free(data->fh.data.data_val);
+       free(data->buffer);
 
        free(data);
 }
@@ -1241,6 +1230,84 @@ int nfs_stat_async(struct nfs_context *nfs, const char *path, nfs_cb cb, void *p
 }
 
 
+/*
+ * Async nfs_stat64()
+ */
+static void nfs_stat64_1_cb(struct rpc_context *rpc, int status, void *command_data, void *private_data)
+{
+       GETATTR3res *res;
+       struct nfs_cb_data *data = private_data;
+       struct nfs_context *nfs = data->nfs;
+       struct nfs_stat_64 st;
+
+       assert(rpc->magic == RPC_CONTEXT_MAGIC);
+
+       if (status == RPC_STATUS_ERROR) {
+               data->cb(-EFAULT, nfs, command_data, data->private_data);
+               free_nfs_cb_data(data);
+               return;
+       }
+       if (status == RPC_STATUS_CANCEL) {
+               data->cb(-EINTR, nfs, "Command was cancelled", data->private_data);
+               free_nfs_cb_data(data);
+               return;
+       }
+
+       res = command_data;
+       if (res->status != NFS3_OK) {
+               rpc_set_error(nfs->rpc, "NFS: GETATTR of %s failed with %s(%d)", data->saved_path, nfsstat3_to_str(res->status), nfsstat3_to_errno(res->status));
+               data->cb(nfsstat3_to_errno(res->status), nfs, rpc_get_error(nfs->rpc), data->private_data);
+               free_nfs_cb_data(data);
+               return;
+       }
+
+        st.nfs_dev     = -1;
+        st.nfs_ino     = res->GETATTR3res_u.resok.obj_attributes.fileid;
+        st.nfs_mode    = res->GETATTR3res_u.resok.obj_attributes.mode;
+       if (res->GETATTR3res_u.resok.obj_attributes.type == NF3DIR) {
+               st.nfs_mode |= S_IFDIR ;
+       }
+       if (res->GETATTR3res_u.resok.obj_attributes.type == NF3REG) {
+               st.nfs_mode |= S_IFREG ;
+       }
+        st.nfs_nlink   = res->GETATTR3res_u.resok.obj_attributes.nlink;
+        st.nfs_uid     = res->GETATTR3res_u.resok.obj_attributes.uid;
+        st.nfs_gid     = res->GETATTR3res_u.resok.obj_attributes.gid;
+        st.nfs_rdev    = 0;
+        st.nfs_size    = res->GETATTR3res_u.resok.obj_attributes.size;
+        st.nfs_atime   = res->GETATTR3res_u.resok.obj_attributes.atime.seconds;
+        st.nfs_mtime   = res->GETATTR3res_u.resok.obj_attributes.mtime.seconds;
+        st.nfs_ctime   = res->GETATTR3res_u.resok.obj_attributes.ctime.seconds;
+
+       data->cb(0, nfs, &st, data->private_data);
+       free_nfs_cb_data(data);
+}
+
+static int nfs_stat64_continue_internal(struct nfs_context *nfs, struct nfs_cb_data *data)
+{
+       struct GETATTR3args args;
+
+       memset(&args, 0, sizeof(GETATTR3args));
+       args.object = data->fh;
+
+       if (rpc_nfs3_getattr_async(nfs->rpc, nfs_stat64_1_cb, &args, data) != 0) {
+               rpc_set_error(nfs->rpc, "RPC error: Failed to send STAT GETATTR call for %s", data->path);
+               data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
+               free_nfs_cb_data(data);
+               return -1;
+       }
+       return 0;
+}
+
+int nfs_stat64_async(struct nfs_context *nfs, const char *path, nfs_cb cb, void *private_data)
+{
+       if (nfs_lookuppath_async(nfs, path, cb, private_data, nfs_stat64_continue_internal, NULL, NULL, 0) != 0) {
+               rpc_set_error(nfs->rpc, "Out of memory: failed to start parsing the path components");
+               return -1;
+       }
+
+       return 0;
+}
 
 /*
  * Async open()
@@ -1521,9 +1588,14 @@ static void nfs_pread_mcb(struct rpc_context *rpc, int status, void *command_dat
                        data->error = 1;
                } else  {
                        if (res->READ3res_u.resok.count > 0) {
-                               memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count);
-                               if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) {
-                                       data->max_offset = mdata->offset + res->READ3res_u.resok.count;
+                               if (res->READ3res_u.resok.count <= mdata->count) {
+                                       memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count);
+                                       if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) {
+                                               data->max_offset = mdata->offset + res->READ3res_u.resok.count;
+                                       }
+                               } else {
+                                       rpc_set_error(nfs->rpc, "NFS: Read overflow. Server has sent more data than requested!");
+                                       data->error = 1;
                                }
                        }
                }
@@ -1589,6 +1661,9 @@ int nfs_pread_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offse
                return 0;
        }
 
+       assert(count > 0);
+       assert(data->num_calls == 0);
+
        /* trying to read more than maximum server read size, we has to chop it up into smaller
         * reads and collect into a reassembly buffer.
         * we send all reads in parallel so that performance is still good.
@@ -1616,6 +1691,8 @@ int nfs_pread_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offse
                mdata = malloc(sizeof(struct nfs_mcb_data));
                if (mdata == NULL) {
                        rpc_set_error(nfs->rpc, "out of memory: failed to allocate nfs_mcb_data structure");
+                       if (data->num_calls == 0)
+                               free_nfs_cb_data(data);
                        return -1;
                }
                memset(mdata, 0, sizeof(struct nfs_mcb_data));
@@ -1632,6 +1709,8 @@ int nfs_pread_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offse
                        rpc_set_error(nfs->rpc, "RPC error: Failed to send READ call for %s", data->path);
                        data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
                        free(mdata);
+                       if (data->num_calls == 0)
+                               free_nfs_cb_data(data);
                        return -1;
                }
 
@@ -1786,6 +1865,10 @@ int nfs_pwrite_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offs
                return 0;
        }
 
+       /* hello, clang-analyzer */
+       assert(count > 0);
+       assert(data->num_calls == 0);
+
        /* trying to write more than maximum server write size, we has to chop it up into smaller
         * chunks.
         * we send all writes in parallel so that performance is still good.
@@ -1805,6 +1888,8 @@ int nfs_pwrite_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offs
                mdata = malloc(sizeof(struct nfs_mcb_data));
                if (mdata == NULL) {
                        rpc_set_error(nfs->rpc, "out of memory: failed to allocate nfs_mcb_data structure");
+                       if (data->num_calls == 0)
+                               free_nfs_cb_data(data);
                        return -1;
                }
                memset(mdata, 0, sizeof(struct nfs_mcb_data));
@@ -1824,6 +1909,9 @@ int nfs_pwrite_async(struct nfs_context *nfs, struct nfsfh *nfsfh, uint64_t offs
                        rpc_set_error(nfs->rpc, "RPC error: Failed to send WRITE call for %s", data->path);
                        data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
                        free(mdata);
+                       if (data->num_calls == 0)
+                               free_nfs_cb_data(data);
+
                        return -1;
                }
 
@@ -2135,6 +2223,7 @@ int nfs_mkdir_async(struct nfs_context *nfs, const char *path, nfs_cb cb, void *
 
        ptr = strrchr(new_path, '/');
        if (ptr == NULL) {
+               free(new_path);
                rpc_set_error(nfs->rpc, "Invalid path %s", path);
                return -1;
        }
@@ -2221,6 +2310,7 @@ int nfs_rmdir_async(struct nfs_context *nfs, const char *path, nfs_cb cb, void *
 
        ptr = strrchr(new_path, '/');
        if (ptr == NULL) {
+               free(new_path);
                rpc_set_error(nfs->rpc, "Invalid path %s", path);
                return -1;
        }
@@ -2456,6 +2546,7 @@ int nfs_unlink_async(struct nfs_context *nfs, const char *path, nfs_cb cb, void
 
        ptr = strrchr(new_path, '/');
        if (ptr == NULL) {
+               free(new_path);
                rpc_set_error(nfs->rpc, "Invalid path %s", path);
                return -1;
        }
@@ -2605,7 +2696,6 @@ int nfs_mknod_async(struct nfs_context *nfs, const char *path, int mode, int dev
        /* data->path now points to the parent directory,  and beyond the nul terminateor is the new directory to create */
        if (nfs_lookuppath_async(nfs, cb_data->path, cb, private_data, nfs_mknod_continue_internal, cb_data, free_mknod_cb_data, 0) != 0) {
                rpc_set_error(nfs->rpc, "Out of memory: failed to start parsing the path components");
-               free_mknod_cb_data(cb_data);
                return -1;
        }
 
@@ -2647,14 +2737,15 @@ static void nfs_opendir3_cb(struct rpc_context *rpc, int status, void *command_d
        rdpe_cb_data->getattrcount--;
 
        if (status == RPC_STATUS_ERROR) {
+               rpc_set_error(nfs->rpc, "LOOKUP during READDIRPLUS emulation "
+                             "failed with RPC_STATUS_ERROR");
                rdpe_cb_data->status = RPC_STATUS_ERROR;
        }
        if (status == RPC_STATUS_CANCEL) {
+               rpc_set_error(nfs->rpc, "LOOKUP during READDIRPLUS emulation "
+                             "failed with RPC_STATUS_CANCEL");
                rdpe_cb_data->status = RPC_STATUS_CANCEL;
        }
-       if (status == RPC_STATUS_SUCCESS && res->status != NFS3_OK) {
-               rdpe_cb_data->status = RPC_STATUS_ERROR;
-       }
        if (status == RPC_STATUS_SUCCESS && res->status == NFS3_OK) {
                if (res->LOOKUP3res_u.resok.obj_attributes.attributes_follow) {
                        fattr3 *attributes = &res->LOOKUP3res_u.resok.obj_attributes.post_op_attr_u.attributes;
@@ -2676,7 +2767,10 @@ static void nfs_opendir3_cb(struct rpc_context *rpc, int status, void *command_d
 
        if (rdpe_cb_data->getattrcount == 0) {
                if (rdpe_cb_data->status != RPC_STATUS_SUCCESS) {
-                       data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
+                       rpc_set_error(nfs->rpc, "READDIRPLUS emulation "
+                             "failed: %s", rpc_get_error(rpc));
+                       data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc),
+                               data->private_data);
                        nfs_free_nfsdir(nfsdir);
                } else {
                        data->cb(0, nfs, nfsdir, data->private_data);
@@ -2740,6 +2834,7 @@ static void nfs_opendir2_cb(struct rpc_context *rpc, int status, void *command_d
                nfsdirent->name = strdup(entry->name);
                if (nfsdirent->name == NULL) {
                        data->cb(-ENOMEM, nfs, "Failed to allocate dirent->name", data->private_data);
+                       free(nfsdirent);
                        nfs_free_nfsdir(nfsdir);
                        data->continue_data = NULL;
                        free_nfs_cb_data(data);
@@ -2799,6 +2894,9 @@ static void nfs_opendir2_cb(struct rpc_context *rpc, int status, void *command_d
                         * commands in flight to complete
                         */
                        if (rdpe_cb_data->getattrcount > 0) {
+                               nfs_free_nfsdir(nfsdir);
+                               data->continue_data = NULL;
+                               free_nfs_cb_data(data);
                                rdpe_cb_data->status = RPC_STATUS_ERROR;
                                free(rdpe_lookup_cb_data);
                                return;
@@ -2816,7 +2914,6 @@ static void nfs_opendir2_cb(struct rpc_context *rpc, int status, void *command_d
        }
 }
 
-
 static void nfs_opendir_cb(struct rpc_context *rpc, int status, void *command_data, void *private_data)
 {
        READDIRPLUS3res *res = command_data;
@@ -3320,7 +3417,6 @@ int nfs_fchmod_async(struct nfs_context *nfs, struct nfsfh *nfsfh, int mode, nfs
        memcpy(data->fh.data.data_val, nfsfh->fh.data.data_val, data->fh.data.data_len);
 
        if (nfs_chmod_continue_internal(nfs, data) != 0) {
-               free_nfs_cb_data(data);
                return -1;
        }
 
@@ -3455,7 +3551,6 @@ int nfs_fchown_async(struct nfs_context *nfs, struct nfsfh *nfsfh, int uid, int
        memcpy(data->fh.data.data_val, nfsfh->fh.data.data_val, data->fh.data.data_len);
 
        if (nfs_chown_continue_internal(nfs, data) != 0) {
-               free_nfs_cb_data(data);
                return -1;
        }
 
@@ -3897,19 +3992,28 @@ static int nfs_rename_continue_2_internal(struct nfs_context *nfs, struct nfs_cb
 static int nfs_rename_continue_1_internal(struct nfs_context *nfs, struct nfs_cb_data *data)
 {
        struct nfs_rename_data *rename_data = data->continue_data;
+       char* newpath = strdup(rename_data->newpath);
+       if (!newpath) {
+               rpc_set_error(nfs->rpc, "Out of memory. Could not allocate memory to store target path for rename");
+               data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
+               free_nfs_cb_data(data);
+               return -1;
+       }
 
        /* steal the filehandle */
        rename_data->olddir = data->fh;
        data->fh.data.data_val = NULL;
 
        if (nfs_lookuppath_async(nfs, rename_data->newpath, data->cb, data->private_data, nfs_rename_continue_2_internal, rename_data, free_nfs_rename_data, 0) != 0) {
-               rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", rename_data->newpath);
+               rpc_set_error(nfs->rpc, "RPC error: Failed to send LOOKUP call for %s", newpath);
                data->cb(-ENOMEM, nfs, rpc_get_error(nfs->rpc), data->private_data);
                free_nfs_cb_data(data);
+               free(newpath);
                return -1;
        }
        data->continue_data = NULL;
        free_nfs_cb_data(data);
+       free(newpath);
 
        return 0;
 }
libnfs Piment Noir Debian package repository