[PATCH] multipathd: "show map mpathx json" would cause realloc error possibly

From: tang.wenjun3@zte.com.cn
To: Christophe Varoqui <christophe.varoqui@opensvc.com>
Cc: zhang.kai16@zte.com.cn, dm-devel@redhat.com,
	10144149 <tang.wenjun3@zte.com.cn>
Subject: [PATCH] multipathd: "show map mpathx json" would cause realloc error possibly
Date: Fri, 14 Oct 2016 11:13:11 +0800	[thread overview]
Message-ID: <1476414791-8996-1-git-send-email-tang.wenjun3@zte.com.cn> (raw)

From: 10144149 <tang.wenjun3@zte.com.cn>

Problem: multipathd dead when we run "show map spathx json" command with
system messages as follows:
Oct 13 11:37:30 rhel7-1 multipathd: *** Error in `/sbin/multipathd': realloc(): invalid next size: 0x00007f8cf8004210 ***
Oct 13 11:37:30 rhel7-1 multipathd: ======= Backtrace: =========
Oct 13 11:37:30 rhel7-1 multipathd: /lib64/libc.so.6(+0x7bc67)[0x7f8d06171c67]
Oct 13 11:37:30 rhel7-1 multipathd: /lib64/libc.so.6(+0x7fb17)[0x7f8d06175b17]
Oct 13 11:37:30 rhel7-1 multipathd: /lib64/libc.so.6(realloc+0xd2)[0x7f8d06176702]

Reasons: in function snprint_multipath_fields_json
vector_foreach_slot (pgp->paths, pp, j) {
       fwd += snprint_path(buff + fwd, len - fwd, PRINT_JSON_PATH, pp, 0);
       if (fwd > len)
            return fwd;

       fwd += snprint_json_elem_footer(buff + fwd,
                len - fwd, 3, j + 1 == VECTOR_SIZE(pgp->paths));
       if (fwd > len)
           return fwd;
}

snprint_path (char * line, int len, char * format, struct path * pp, int pad)

when len - fwd = 0 , The len is not restricted in snprint_path，and the Memory of line is
rewritten in snprint_path, it cause realloc() failed , so fwd > len modify
fwd >= len.

Other commands also have this type of risk.

Signed-off-by: 10144149 <tang.wenjun3@zte.com.cn>
---
 libmultipath/print.c | 131 ++++++++++++++++++++++++++-------------------------
 1 file changed, 66 insertions(+), 65 deletions(-)

diff --git a/libmultipath/print.c b/libmultipath/print.c
index 9aa41ad..78c065f 100644
--- a/libmultipath/print.c
+++ b/libmultipath/print.c
@@ -1004,11 +1004,11 @@ snprint_multipath_topology (char * buff, int len, struct multipath * mpp,
 		c += sprintf(c, "%c[%dm", 0x1B, 0); /* bold off */
 
 	fwd += snprint_multipath(buff + fwd, len - fwd, style, mpp, 1);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	fwd += snprint_multipath(buff + fwd, len - fwd, PRINT_MAP_PROPS, mpp,
 				 1);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	if (!mpp->pg)
@@ -1022,7 +1022,7 @@ snprint_multipath_topology (char * buff, int len, struct multipath * mpp,
 		} else
 			strcpy(f, "`-+- " PRINT_PG_INDENT);
 		fwd += snprint_pathgroup(buff + fwd, len - fwd, fmt, pgp);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 
 		vector_foreach_slot (pgp->paths, pp, i) {
@@ -1035,13 +1035,14 @@ snprint_multipath_topology (char * buff, int len, struct multipath * mpp,
 			else
 				strcpy(f, " `- " PRINT_PATH_INDENT);
 			fwd += snprint_path(buff + fwd, len - fwd, fmt, pp, 1);
-			if (fwd > len)
+			if (fwd >= len)
 				return len;
 		}
 	}
 	return fwd;
 }
 
+
 static int
 snprint_json (char * buff, int len, int indent, char *json_str)
 {
@@ -1049,7 +1050,7 @@ snprint_json (char * buff, int len, int indent, char *json_str)
 
 	for (i = 0; i < indent; i++) {
 		fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_INDENT);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 	}
 
@@ -1063,7 +1064,7 @@ snprint_json_header (char * buff, int len)
 	int fwd = 0;
 
 	fwd +=  snprint_json(buff, len, 0, PRINT_JSON_START_ELEM);
-	if (fwd > len)
+	if (fwd >= len)
 		return fwd;
 
 	fwd +=  snprintf(buff + fwd, len  - fwd, PRINT_JSON_START_VERSION,
@@ -1078,7 +1079,7 @@ snprint_json_elem_footer (char * buff, int len, int indent, int last)
 
 	for (i = 0; i < indent; i++) {
 		fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_INDENT);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 	}
 
@@ -1098,50 +1099,50 @@ snprint_multipath_fields_json (char * buff, int len,
 	struct pathgroup *pgp;
 
 	fwd += snprint_multipath(buff, len, PRINT_JSON_MAP, mpp, 0);
-	if (fwd > len)
+	if (fwd >= len)
 		return fwd;
 
 	fwd += snprint_json(buff + fwd, len - fwd, 2, PRINT_JSON_START_GROUPS);
-	if (fwd > len)
+	if (fwd >= len)
 		return fwd;
 
 	vector_foreach_slot (mpp->pg, pgp, i) {
 
 		pgp->selector = mpp->selector;
 		fwd += snprint_pathgroup(buff + fwd, len - fwd, PRINT_JSON_GROUP, pgp);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 
 		fwd += snprintf(buff + fwd, len - fwd, PRINT_JSON_GROUP_NUM, i + 1);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 
 		fwd += snprint_json(buff + fwd, len - fwd, 3, PRINT_JSON_START_PATHS);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 
 		vector_foreach_slot (pgp->paths, pp, j) {
 			fwd += snprint_path(buff + fwd, len - fwd, PRINT_JSON_PATH, pp, 0);
-			if (fwd > len)
+			if (fwd >= len)
 				return fwd;
 
 			fwd += snprint_json_elem_footer(buff + fwd,
 					len - fwd, 3, j + 1 == VECTOR_SIZE(pgp->paths));
-			if (fwd > len)
+			if (fwd >= len)
 				return fwd;
 		}
 		fwd += snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_ARRAY);
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 
 		fwd +=  snprint_json_elem_footer(buff + fwd,
 				len - fwd, 2, i + 1 == VECTOR_SIZE(mpp->pg));
-		if (fwd > len)
+		if (fwd >= len)
 			return fwd;
 	}
 
 	fwd += snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_ARRAY);
-	if (fwd > len)
+	if (fwd >= len)
 		return fwd;
 
 	fwd += snprint_json_elem_footer(buff + fwd, len - fwd, 1, last);
@@ -1154,23 +1155,23 @@ snprint_multipath_map_json (char * buff, int len,
 	int fwd = 0;
 
 	fwd +=  snprint_json_header(buff, len);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_START_MAP);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd += snprint_multipath_fields_json(buff + fwd, len - fwd, mpp, 1);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd +=  snprint_json(buff + fwd, len - fwd, 0, "\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_LAST);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1182,26 +1183,26 @@ snprint_multipath_topology_json (char * buff, int len, struct vectors * vecs)
 	struct multipath * mpp;
 
 	fwd +=  snprint_json_header(buff, len);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd +=  snprint_json(buff + fwd, len  - fwd, 1, PRINT_JSON_START_MAPS);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	vector_foreach_slot(vecs->mpvec, mpp, i) {
 		fwd += snprint_multipath_fields_json(buff + fwd, len - fwd,
 				mpp, i + 1 == VECTOR_SIZE(vecs->mpvec));
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 
 	fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_ARRAY);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	fwd +=  snprint_json(buff + fwd, len - fwd, 0, PRINT_JSON_END_LAST);
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1225,16 +1226,16 @@ snprint_hwentry (struct config *conf, char * buff, int len, struct hwentry * hwe
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	iterate_sub_keywords(rootkw, kw, i) {
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				kw, hwe);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1252,15 +1253,15 @@ snprint_hwtable (struct config *conf, char * buff, int len, vector hwtable)
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "devices {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	vector_foreach_slot (hwtable, hwe, i) {
 		fwd += snprint_hwentry(conf, buff + fwd, len - fwd, hwe);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1278,16 +1279,16 @@ snprint_mpentry (struct config *conf, char * buff, int len, struct mpentry * mpe
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "\tmultipath {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	iterate_sub_keywords(rootkw, kw, i) {
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				kw, mpe);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1305,15 +1306,15 @@ snprint_mptable (struct config *conf, char * buff, int len, vector mptable)
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "multipaths {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	vector_foreach_slot (mptable, mpe, i) {
 		fwd += snprint_mpentry(conf, buff + fwd, len - fwd, mpe);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1331,19 +1332,19 @@ snprint_overrides (struct config *conf, char * buff, int len, struct hwentry *ov
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "overrides {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	if (!overrides)
 		goto out;
 	iterate_sub_keywords(rootkw, kw, i) {
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, NULL);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 out:
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1361,17 +1362,17 @@ snprint_defaults (struct config *conf, char * buff, int len)
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "defaults {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	iterate_sub_keywords(rootkw, kw, i) {
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				kw, NULL);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1508,7 +1509,7 @@ snprint_blacklist (struct config *conf, char * buff, int len)
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "blacklist {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	vector_foreach_slot (conf->blist_devnode, ble, i) {
@@ -1517,7 +1518,7 @@ snprint_blacklist (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ble);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	vector_foreach_slot (conf->blist_wwid, ble, i) {
@@ -1526,7 +1527,7 @@ snprint_blacklist (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ble);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	vector_foreach_slot (conf->blist_property, ble, i) {
@@ -1535,7 +1536,7 @@ snprint_blacklist (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ble);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	rootkw = find_keyword(conf->keywords, rootkw->sub, "device");
@@ -1544,28 +1545,28 @@ snprint_blacklist (struct config *conf, char * buff, int len)
 
 	vector_foreach_slot (conf->blist_device, bled, i) {
 		fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		kw = find_keyword(conf->keywords, rootkw->sub, "vendor");
 		if (!kw)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				       kw, bled);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		kw = find_keyword(conf->keywords, rootkw->sub, "product");
 		if (!kw)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				       kw, bled);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1585,7 +1586,7 @@ snprint_blacklist_except (struct config *conf, char * buff, int len)
 		return 0;
 
 	fwd += snprintf(buff + fwd, len - fwd, "blacklist_exceptions {\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 
 	vector_foreach_slot (conf->elist_devnode, ele, i) {
@@ -1594,7 +1595,7 @@ snprint_blacklist_except (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ele);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	vector_foreach_slot (conf->elist_wwid, ele, i) {
@@ -1603,7 +1604,7 @@ snprint_blacklist_except (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ele);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	vector_foreach_slot (conf->elist_property, ele, i) {
@@ -1612,7 +1613,7 @@ snprint_blacklist_except (struct config *conf, char * buff, int len)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t%k %v\n",
 				       kw, ele);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	rootkw = find_keyword(conf->keywords, rootkw->sub, "device");
@@ -1621,28 +1622,28 @@ snprint_blacklist_except (struct config *conf, char * buff, int len)
 
 	vector_foreach_slot (conf->elist_device, eled, i) {
 		fwd += snprintf(buff + fwd, len - fwd, "\tdevice {\n");
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		kw = find_keyword(conf->keywords, rootkw->sub, "vendor");
 		if (!kw)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				       kw, eled);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		kw = find_keyword(conf->keywords, rootkw->sub, "product");
 		if (!kw)
 			return 0;
 		fwd += snprint_keyword(buff + fwd, len - fwd, "\t\t%k %v\n",
 				       kw, eled);
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 		fwd += snprintf(buff + fwd, len - fwd, "\t}\n");
-		if (fwd > len)
+		if (fwd >= len)
 			return len;
 	}
 	fwd += snprintf(buff + fwd, len - fwd, "}\n");
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1674,7 +1675,7 @@ snprint_status (char * buff, int len, struct vectors *vecs)
 	fwd += snprintf(buff + fwd, len - fwd, "\npaths: %d\nbusy: %s\n",
 			monitored_count, is_uevent_busy()? "True" : "False");
 
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
@@ -1740,7 +1741,7 @@ snprint_devices (struct config *conf, char * buff, int len, struct vectors *vecs
 	}
 	closedir(blkdir);
 
-	if (fwd > len)
+	if (fwd >= len)
 		return len;
 	return fwd;
 }
-- 
2.8.1.windows.1


--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
