Bug 763754 (GLUSTER-2022) - gf_string2int() overflows target pointer
Summary: gf_string2int() overflows target pointer
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: GLUSTER-2022
Product: GlusterFS
Classification: Community
Component: core
Version: mainline
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Csaba Henk
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-27 09:57 UTC by Csaba Henk
Modified: 2010-11-12 07:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)

Description Anand Avati 2010-10-27 08:13:33 UTC
PATCH: http://patches.gluster.com/patch/5581 in master (libglusterfs: fix buffer overflow in gf_string2int())

Comment 1 Csaba Henk 2010-10-27 09:57:14 UTC
gf_string2int()is the same as gf_string2long(), just beforehand it casts the target pointer to long. On a 64 bit machine this means that an 8 bytes region will be written by a call to it. In the standard use-case we use an int pointer as target, which means we are allowed to write 4 bytes only.

An example of it: in glusterd-store.c, we can see

  gf_string2int (value, &brickinfo->port);

this overflows to the subsequent field in brickinfo, ie. brickinfo->logfile.


Note You need to log in before you can comment on or make changes to this bug.