From b63b77514327e7b90dcc17e3a7ae5b784d5e5ee4 Mon Sep 17 00:00:00 2001
From: Zdenek Kabelac <zkabelac@redhat.com>
Date: Wed, 8 Feb 2012 11:29:13 +0000
Subject: Add boundary test for number of mirror devs and logs

As atoi may return negative value - test for both limits.
Test log_args for limits before calling alloca().
Code from dmeventd mirror plugin should probably share same code as
we have in mirrored.c.
---
 daemons/dmeventd/plugins/mirror/dmeventd_mirror.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'daemons/dmeventd/plugins')

diff --git a/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c b/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
index ed062313..679029b5 100644
--- a/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
+++ b/daemons/dmeventd/plugins/mirror/dmeventd_mirror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2011 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2005-2012 Red Hat, Inc. All rights reserved.
  *
  * This file is part of LVM2.
  *
@@ -18,6 +18,7 @@
 #include "errors.h"
 #include "libdevmapper-event.h"
 #include "dmeventd_lvm.h"
+#include "defaults.h"
 
 #include <syslog.h> /* FIXME Replace syslog with multilog */
 /* FIXME Missing openlog? */
@@ -81,7 +82,8 @@ static int _get_mirror_event(char *params)
 	if (!dm_split_words(params, 1, 0, &p))
 		goto out_parse;
 
-	if (!(num_devs = atoi(p)))
+	if (!(num_devs = atoi(p)) ||
+	    (num_devs > DEFAULT_MIRROR_MAX_IMAGES) || (num_devs < 0))
 		goto out_parse;
 	p += strlen(p) + 1;
 
@@ -90,6 +92,7 @@ static int _get_mirror_event(char *params)
 	if (!args || dm_split_words(p, num_devs + 7, 0, args) < num_devs + 5)
 		goto out_parse;
 
+	/* FIXME: Code differs from lib/mirror/mirrored.c */
 	dev_status_str = args[2 + num_devs];
 	log_argc = atoi(args[3 + num_devs]);
 	log_status_str = args[3 + num_devs + log_argc];
-- 
cgit