Bug 1240524 - buffer overflow and crash while producing `gluster volume set help`
Summary: buffer overflow and crash while producing `gluster volume set help`
Keywords:
Status: CLOSED EOL
Alias: None
Product: GlusterFS
Classification: Community
Component: glusterd
Version: 3.5.4
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kaushal
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-07 07:44 UTC by Hans Henrik Happe
Modified: 2016-06-17 16:24 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-17 16:24:25 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)
/var/log/glusterfs/etc-glusterfs-glusterd.vol.log (1.43 KB, text/plain)
2015-07-07 07:44 UTC, Hans Henrik Happe 		no flags Details
View All

Description Hans Henrik Happe 2015-07-07 07:44:04 UTC 
Created attachment 1049115 [details]
/var/log/glusterfs/etc-glusterfs-glusterd.vol.log

After updating to 3.5.4 on a CentOS 6.6 server, there seem to miss a library. It can be observed with a clean install of glusterfs-server calling this:

# gluster vol set help

This crashes glusterd with the attached in the log.
Comment 1 Kaleb KEITHLEY 2015-07-08 19:01:42 UTC 
"Missing" library is a red herring. Crash is due to a buffer overflow.

This is the patch I used for the Fedora and EPEL koji builds. It could stand some more improvement, not just in 3.5.x but all later branches.

--- glusterfs-3.5.5/xlators/mgmt/glusterd/src/glusterd-volgen.c.orig	2015-07-08 14:27:52.386643601 -0400
+++ glusterfs-3.5.5/xlators/mgmt/glusterd/src/glusterd-volgen.c	2015-07-08 14:32:44.137643601 -0400
@@ -1982,7 +1982,8 @@
         int                      ret = -1;
         char                    *def_val = NULL;
         char                    *descr = NULL;
-        char                     output_string[25600] = {0, };
+        char                     output_string[51200] = {0, };
+        size_t                   len_output_string = 0;
         char                    *output = NULL;
         char                     tmp_str[2048] = {0, };
 #if (HAVE_LIB_XML)
@@ -2046,10 +2047,12 @@
                         gf_log ("glusterd", GF_LOG_ERROR, "Libxml not present");
 #endif
                 } else {
-                        snprintf (tmp_str, sizeof (tmp_str), "Option: %s\nDefault "
+                        len_output_string += 
+                              snprintf (tmp_str,sizeof (tmp_str), "Option: %s\nDefault "
                                         "Value: %s\nDescription: %s\n\n",
                                         vme->key, def_val, descr);
-                        strcat (output_string, tmp_str);
+                        if (len_output_string < sizeof output_string)
+                                strcat (output_string, tmp_str);
                 }
 cont:
                 if (dl_handle) {
Comment 3 Niels de Vos 2016-06-17 16:24:25 UTC 
This bug is getting closed because the 3.5 is marked End-Of-Life. There will be no further updates to this version. Please open a new bug against a version that still receives bugfixes if you are still facing this issue in a more current release.
Note You need to log in before you can comment on or make changes to this bug.