763754 – (GLUSTER-2022) gf_string2int() overflows target pointer

Bug 763754 (GLUSTER-2022) - gf_string2int() overflows target pointer

Summary: gf_string2int() overflows target pointer

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	GLUSTER-2022
Product:	GlusterFS
Classification:	Community
Component:	core
Sub Component:
Version:	mainline
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Csaba Henk
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-27 09:57 UTC by Csaba Henk
Modified:	2010-11-12 07:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anand Avati 2010-10-27 08:13:33 UTC

PATCH: http://patches.gluster.com/patch/5581 in master (libglusterfs: fix buffer overflow in gf_string2int())

Comment 1 Csaba Henk 2010-10-27 09:57:14 UTC

gf_string2int()is the same as gf_string2long(), just beforehand it casts the target pointer to long. On a 64 bit machine this means that an 8 bytes region will be written by a call to it. In the standard use-case we use an int pointer as target, which means we are allowed to write 4 bytes only.

An example of it: in glusterd-store.c, we can see

  gf_string2int (value, &brickinfo->port);

this overflows to the subsequent field in brickinfo, ie. brickinfo->logfile.

Note You need to log in before you can comment on or make changes to this bug.