OPENAFS-SA-2016-002 VldbListByAttributes information leak

[openafs.git] / src / libadmin / vos / vosutils.c

diff --git a/src/libadmin/vos/vosutils.c b/src/libadmin/vos/vosutils.c
index aeb493f..1b99d2b 100644 (file)
--- a/src/libadmin/vos/vosutils.c
+++ b/src/libadmin/vos/vosutils.c
@@ -10,12 +10,13 @@
 #include <afsconfig.h>
 #include <afs/param.h>
 
+#include <roken.h>
+
+#include <afs/afs_AdminErrors.h>
 
 #include "vosutils.h"
 #include "vsprocs.h"
 #include "lockprocs.h"
-#include <afs/afs_AdminErrors.h>
-#include <string.h>
 
 /*
  * VLDB entry conversion routines.
@@ -258,6 +259,10 @@ VLDB_ListAttributes(afs_cell_handle_p cellHandle,
                    cellHandle->vos_new = 0;
                }
            } else {
+               if (*entriesp < 0)
+                   *entriesp = 0;
+               if (*entriesp > blkentriesp->nbulkentries_len)
+                   *entriesp = blkentriesp->nbulkentries_len;
                rc = 1;
            }
        } else {
@@ -266,21 +271,31 @@ VLDB_ListAttributes(afs_cell_handle_p cellHandle,
                ubik_VL_ListAttributes(cellHandle->vos, 0, attrp,
                          entriesp, &arrayEntries);
            if (tst == 0) {
-               blkentriesp->nbulkentries_val =
-                   (nvldbentry *) malloc(*entriesp * sizeof(*blkentriesp));
-               if (blkentriesp->nbulkentries_val != NULL) {
-                   for (i = 0; i < *entriesp; i++) {
-                       OldVLDB_to_NewVLDB((struct vldbentry *)&arrayEntries.
-                                          bulkentries_val[i],
-                                          (struct nvldbentry *)&blkentriesp->
-                                          nbulkentries_val[i], &tst);
+
+               if (*entriesp < 0)
+                   *entriesp = 0;
+               if (*entriesp > arrayEntries.bulkentries_len)
+                   *entriesp = arrayEntries.bulkentries_len;
+
+               if (*entriesp > 0) {
+                   blkentriesp->nbulkentries_val =
+                       calloc(*entriesp, sizeof(struct nvldbentry));
+                   if (blkentriesp->nbulkentries_val != NULL) {
+                       for (i = 0; i < *entriesp; i++) {
+                           OldVLDB_to_NewVLDB((struct vldbentry *)&arrayEntries.
+                                              bulkentries_val[i],
+                                              (struct nvldbentry *)&blkentriesp->
+                                              nbulkentries_val[i], &tst);
+                       }
+                   } else {
+                       tst = ADMNOMEM;
                    }
                } else {
-                   tst = ADMNOMEM;
-               }
-               if (arrayEntries.bulkentries_val) {
-                   free(arrayEntries.bulkentries_val);
+                   blkentriesp->nbulkentries_val = NULL;
                }
+
+               xdr_free((xdrproc_t)xdr_bulkentries, &arrayEntries);
+
                rc = 1;
            }
        }
@@ -413,8 +428,8 @@ GetVolumeInfo(afs_cell_handle_p cellHandle, afs_uint32 volid,
     if (volid == rentry->volumeId[ROVOL]) {
        *voltype = ROVOL;
        for (i = 0; i < rentry->nServers; i++) {
-           if ((index == -1) && (rentry->serverFlags[i] & ITSROVOL)
-               && !(rentry->serverFlags[i] & RO_DONTUSE))
+           if ((index == -1) && (rentry->serverFlags[i] & VLSF_ROVOL)
+               && !(rentry->serverFlags[i] & VLSF_DONTUSE))
                index = i;
        }
        if (index == -1) {
@@ -556,8 +571,8 @@ AddressMatch(int addrTest, int addrPattern)
     int bPattern;
 
     /* Test the high byte */
-    bTest = addrTest >> 24;
-    bPattern = addrPattern >> 24;
+    bTest = (addrTest >> 24) & 255;
+    bPattern = (addrPattern >> 24) & 255;
     if ((bTest != bPattern) && (bPattern != 255)) {
        return FALSE;
     }