Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1240524

Summary: buffer overflow and crash while producing `gluster volume set help`
Product: [Community] GlusterFS Reporter: Hans Henrik Happe <happe>
Component: glusterdAssignee: Kaushal <kaushal>
Status: CLOSED EOL QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.5.4CC: bugs, kkeithle
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-17 16:24:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/glusterfs/etc-glusterfs-glusterd.vol.log none

Description Hans Henrik Happe 2015-07-07 07:44:04 UTC 
Created attachment 1049115 [details]
/var/log/glusterfs/etc-glusterfs-glusterd.vol.log

After updating to 3.5.4 on a CentOS 6.6 server, there seem to miss a library. It can be observed with a clean install of glusterfs-server calling this:

# gluster vol set help

This crashes glusterd with the attached in the log.
Comment 1 Kaleb KEITHLEY 2015-07-08 19:01:42 UTC 
"Missing" library is a red herring. Crash is due to a buffer overflow.

This is the patch I used for the Fedora and EPEL koji builds. It could stand some more improvement, not just in 3.5.x but all later branches.

--- glusterfs-3.5.5/xlators/mgmt/glusterd/src/glusterd-volgen.c.orig	2015-07-08 14:27:52.386643601 -0400
+++ glusterfs-3.5.5/xlators/mgmt/glusterd/src/glusterd-volgen.c	2015-07-08 14:32:44.137643601 -0400
@@ -1982,7 +1982,8 @@
         int                      ret = -1;
         char                    *def_val = NULL;
         char                    *descr = NULL;
-        char                     output_string[25600] = {0, };
+        char                     output_string[51200] = {0, };
+        size_t                   len_output_string = 0;
         char                    *output = NULL;
         char                     tmp_str[2048] = {0, };
 #if (HAVE_LIB_XML)
@@ -2046,10 +2047,12 @@
                         gf_log ("glusterd", GF_LOG_ERROR, "Libxml not present");
 #endif
                 } else {
-                        snprintf (tmp_str, sizeof (tmp_str), "Option: %s\nDefault "
+                        len_output_string += 
+                              snprintf (tmp_str,sizeof (tmp_str), "Option: %s\nDefault "
                                         "Value: %s\nDescription: %s\n\n",
                                         vme->key, def_val, descr);
-                        strcat (output_string, tmp_str);
+                        if (len_output_string < sizeof output_string)
+                                strcat (output_string, tmp_str);
                 }
 cont:
                 if (dl_handle) {
Comment 3 Niels de Vos 2016-06-17 16:24:25 UTC 
This bug is getting closed because the 3.5 is marked End-Of-Life. There will be no further updates to this version. Please open a new bug against a version that still receives bugfixes if you are still facing this issue in a more current release.