diff options
| author | mav <mav@FreeBSD.org> | 2017-01-10 08:23:06 +0000 |
|---|---|---|
| committer | mav <mav@FreeBSD.org> | 2017-01-10 08:23:06 +0000 |
| commit | a78549d940fbfb7e8367cad1da1c42bd27446430 (patch) | |
| tree | dc398d2776027060f55aff9998352cfcad454324 | |
| parent | 5d56c7af46ff630cb5e0c21898a6ac5d5bcc3ecd (diff) | |
| download | FreeBSD-src-a78549d940fbfb7e8367cad1da1c42bd27446430.zip FreeBSD-src-a78549d940fbfb7e8367cad1da1c42bd27446430.tar.gz | |
MFC r310633: Add MAX_LUNS overflow safety checks.
While this MAX_LUNS limitation is too synthetic and should be removed,
it is better to enforce it while it is here.
| -rw-r--r-- | usr.sbin/ctld/parse.y | 10 | ||||
| -rw-r--r-- | usr.sbin/ctld/uclparse.c | 21 |
2 files changed, 27 insertions, 4 deletions
diff --git a/usr.sbin/ctld/parse.y b/usr.sbin/ctld/parse.y index 820b4c7..dc7ff71 100644 --- a/usr.sbin/ctld/parse.y +++ b/usr.sbin/ctld/parse.y @@ -821,6 +821,11 @@ lun_number: STR free($1); return (1); } + if (tmp >= MAX_LUNS) { + yyerror("LU number is too big"); + free($1); + return (1); + } ret = asprintf(&name, "%s,lun,%ju", target->t_name, tmp); if (ret <= 0) @@ -845,6 +850,11 @@ target_lun_ref: LUN STR STR return (1); } free($2); + if (tmp >= MAX_LUNS) { + yyerror("LU number is too big"); + free($3); + return (1); + } lun = lun_find(conf, $3); free($3); diff --git a/usr.sbin/ctld/uclparse.c b/usr.sbin/ctld/uclparse.c index 3cf95cf..2187242 100644 --- a/usr.sbin/ctld/uclparse.c +++ b/usr.sbin/ctld/uclparse.c @@ -183,18 +183,25 @@ static int uclparse_target_lun(struct target *target, const ucl_object_t *obj) { struct lun *lun; + uint64_t tmp; if (obj->type == UCL_INT) { char *name; - asprintf(&name, "%s,lun,%ju", target->t_name, - ucl_object_toint(obj)); + tmp = ucl_object_toint(obj); + if (tmp >= MAX_LUNS) { + log_warnx("LU number %ju in target \"%s\" is too big", + tmp, target->t_name); + return (1); + } + + asprintf(&name, "%s,lun,%ju", target->t_name, tmp); lun = lun_new(conf, name); if (lun == NULL) return (1); lun_set_scsiname(lun, name); - target->t_luns[ucl_object_toint(obj)] = lun; + target->t_luns[tmp] = lun; return (0); } @@ -207,6 +214,12 @@ uclparse_target_lun(struct target *target, const ucl_object_t *obj) "\"number\" integer property", target->t_name); return (1); } + tmp = ucl_object_toint(num); + if (tmp >= MAX_LUNS) { + log_warnx("LU number %ju in target \"%s\" is too big", + tmp, target->t_name); + return (1); + } if (name == NULL || name->type != UCL_STRING) { log_warnx("lun section in target \"%s\" is missing " @@ -218,7 +231,7 @@ uclparse_target_lun(struct target *target, const ucl_object_t *obj) if (lun == NULL) return (1); - target->t_luns[ucl_object_toint(num)] = lun; + target->t_luns[tmp] = lun; } return (0); |
