[LU-15056] Overflow when setting a tbf rule name - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: Lustre 2.15.0
Affects Version/s: None
Labels:
None
Environment:
VMs with lustre 2.14.53

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

A tbf rule name length is limited to 16 characters (MAX_TBF_NAME).
This length is never checked. This can cause an overflow inside the following code:

static int
nrs_tbf_rule_start(struct ptlrpc_nrs_policy *policy,
                   struct nrs_tbf_head *head,
                   struct nrs_tbf_cmd *start)
{
        struct nrs_tbf_rule     *rule;
        struct nrs_tbf_rule     *tmp_rule;
        struct nrs_tbf_rule     *next_rule;
        char                    *next_name = start->u.tc_start.ts_next_name;
        int                      rc;

        rule = nrs_tbf_rule_find(head, start->tc_name);
        if (rule) {
                nrs_tbf_rule_put(rule);
                return -EEXIST;
        }

        OBD_CPT_ALLOC_PTR(rule, nrs_pol2cptab(policy), nrs_pol2cptid(policy));
        if (rule == NULL)
                return -ENOMEM;

        memcpy(rule->tr_name, start->tc_name, strlen(start->tc_name));    <---------------------

Attachments

Issue Links

is related to

LUDOC-496 Format of TBF rule name field is not defined

Open

Activity

People

Assignee:: Etienne Aujames

Reporter:: Etienne Aujames

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 04/Oct/21 2:33 PM

Updated:: 07/Jan/22 4:55 PM

Resolved:: 06/Jan/22 11:08 PM