| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | From bc3ceda747104afdc24386df5dc45ca86f6c2936 Mon Sep 17 00:00:00 2001 |
| 2 | From: Benjamin Marzinski <bmarzins@redhat.com> |
| 3 | Date: Thu, 1 Jun 2017 17:52:28 -0500 |
| 4 | Subject: [PATCH 11/14] multipathd: fix "show maps json" crash |
| 5 | |
| 6 | If there are no multipath devices, show_maps_json sets the maximum size |
| 7 | of the reply buffer to 0. Having a size of 0 causes the calls to calloc |
| 8 | and realloc to behave in ways that the code isn't designed to handle, |
| 9 | leading to a double-free crash. Instead, show_maps_json should just |
| 10 | use the INITIAL_REPLY_LEN if there are no multipath devices. |
| 11 | |
| 12 | Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> |
| 13 | --- |
| 14 | multipathd/cli_handlers.c | 6 ++++-- |
| 15 | 1 file changed, 4 insertions(+), 2 deletions(-) |
| 16 | |
| 17 | diff --git a/multipathd/cli_handlers.c b/multipathd/cli_handlers.c |
| 18 | index 04c7386..7b0d00c 100644 |
| 19 | --- a/multipathd/cli_handlers.c |
| 20 | +++ b/multipathd/cli_handlers.c |
| 21 | @@ -162,10 +162,12 @@ show_maps_json (char ** r, int * len, struct vectors * vecs) |
| 22 | struct multipath * mpp; |
| 23 | char * c; |
| 24 | char * reply; |
| 25 | - unsigned int maxlen = INITIAL_REPLY_LEN * |
| 26 | - PRINT_JSON_MULTIPLIER * VECTOR_SIZE(vecs->mpvec); |
| 27 | + unsigned int maxlen = INITIAL_REPLY_LEN; |
| 28 | int again = 1; |
| 29 | |
| 30 | + if (VECTOR_SIZE(vecs->mpvec) > 0) |
| 31 | + maxlen *= PRINT_JSON_MULTIPLIER * VECTOR_SIZE(vecs->mpvec); |
| 32 | + |
| 33 | vector_foreach_slot(vecs->mpvec, mpp, i) { |
| 34 | if (update_multipath(vecs, mpp->alias, 0)) { |
| 35 | return 1; |
| 36 | -- |
| 37 | 2.8.1 |
| 38 | |