diff options
author | Rusty Russell <rusty@rustcorp.com.au> | 2012-01-30 09:23:50 +1030 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2012-01-30 09:23:50 +1030 |
commit | 205e198471a481b849d05b5756261f1739c0c8b2 (patch) | |
tree | 1a3901d647eb9f3ecd63debc4ef98173e8083b4b /lib/tdb2/io.c | |
parent | 697a6e9504d9f3eefd97c7c822e90feddd9b9a3b (diff) | |
download | samba-205e198471a481b849d05b5756261f1739c0c8b2.tar.gz samba-205e198471a481b849d05b5756261f1739c0c8b2.tar.bz2 samba-205e198471a481b849d05b5756261f1739c0c8b2.zip |
tdb2: careful on wrap.
It's much harder to wrap a 64-bit tdb2 than a 32-bit tdb1, but we should still
take care against bugs.
Also, we should *not* cast the length to a size_t when comparing it to
the stat result, in case size_t is 32 bit.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
(Imported from CCAN commit 6f7cb26e589cea081e71c59801eae87178967861)
Diffstat (limited to 'lib/tdb2/io.c')
-rw-r--r-- | lib/tdb2/io.c | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/lib/tdb2/io.c b/lib/tdb2/io.c index afab0c1a4c..b4a6f0beae 100644 --- a/lib/tdb2/io.c +++ b/lib/tdb2/io.c @@ -81,8 +81,8 @@ void tdb_mmap(struct tdb_context *tdb) If probe is true, len being too large isn't a failure. */ -static enum TDB_ERROR tdb_oob(struct tdb_context *tdb, tdb_off_t len, - bool probe) +static enum TDB_ERROR tdb_oob(struct tdb_context *tdb, + tdb_off_t off, tdb_len_t len, bool probe) { struct stat st; enum TDB_ERROR ecode; @@ -92,7 +92,16 @@ static enum TDB_ERROR tdb_oob(struct tdb_context *tdb, tdb_off_t len, || (tdb->flags & TDB_NOLOCK) || tdb_has_expansion_lock(tdb)); - if (len <= tdb->file->map_size) + if (len + off < len) { + if (probe) + return TDB_SUCCESS; + + return tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR, + "tdb_oob off %llu len %llu wrap\n", + (long long)off, (long long)len); + } + + if (len + off <= tdb->file->map_size) return TDB_SUCCESS; if (tdb->flags & TDB_INTERNAL) { if (probe) @@ -101,7 +110,7 @@ static enum TDB_ERROR tdb_oob(struct tdb_context *tdb, tdb_off_t len, tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR, "tdb_oob len %lld beyond internal" " malloc size %lld", - (long long)len, + (long long)(off + len), (long long)tdb->file->map_size); return TDB_ERR_IO; } @@ -120,13 +129,13 @@ static enum TDB_ERROR tdb_oob(struct tdb_context *tdb, tdb_off_t len, tdb_unlock_expand(tdb, F_RDLCK); - if (st.st_size < (size_t)len) { + if (st.st_size < off + len) { if (probe) return TDB_SUCCESS; tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR, - "tdb_oob len %zu beyond eof at %zu", - (size_t)len, st.st_size); + "tdb_oob len %llu beyond eof at %zu", + (long long)(off + len), st.st_size); return TDB_ERR_IO; } @@ -253,7 +262,7 @@ static enum TDB_ERROR tdb_write(struct tdb_context *tdb, tdb_off_t off, "Write to read-only database"); } - ecode = tdb->tdb2.io->oob(tdb, off + len, false); + ecode = tdb->tdb2.io->oob(tdb, off, len, false); if (ecode != TDB_SUCCESS) { return ecode; } @@ -283,7 +292,7 @@ static enum TDB_ERROR tdb_read(struct tdb_context *tdb, tdb_off_t off, { enum TDB_ERROR ecode; - ecode = tdb->tdb2.io->oob(tdb, off + len, false); + ecode = tdb->tdb2.io->oob(tdb, off, len, false); if (ecode != TDB_SUCCESS) { return ecode; } @@ -574,7 +583,7 @@ static void *tdb_direct(struct tdb_context *tdb, tdb_off_t off, size_t len, if (unlikely(!tdb->file->map_ptr)) return NULL; - ecode = tdb_oob(tdb, off + len, false); + ecode = tdb_oob(tdb, off, len, false); if (unlikely(ecode != TDB_SUCCESS)) return TDB_ERR_PTR(ecode); return (char *)tdb->file->map_ptr + off; |