From dbedd62b7cb6c2203afea72d6f0ea32b0d623b10 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Tue, 12 Nov 2013 09:58:44 -0500 Subject: [PATCH] Windows: Fix out of range pointer validation The ACL, Stat, and Volume pointer validation checks did not take into account that NULL is a valid pointer value. As a result the cache validation failed. Change-Id: I538310d534fd4ada383d5bf0dc58d49206fe3dfb Reviewed-on: http://gerrit.openafs.org/10453 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- src/WINNT/afsd/cm_aclent.c | 97 +++++++++++++++++-------------- src/WINNT/afsd/cm_scache.c | 140 +++++++++++++++++++++++++-------------------- src/WINNT/afsd/cm_volume.c | 24 ++++---- 3 files changed, 143 insertions(+), 118 deletions(-) diff --git a/src/WINNT/afsd/cm_aclent.c b/src/WINNT/afsd/cm_aclent.c index 52c541b..b728b29 100644 --- a/src/WINNT/afsd/cm_aclent.c +++ b/src/WINNT/afsd/cm_aclent.c @@ -263,32 +263,37 @@ long cm_ValidateACLCache(void) return -1; } - if ( aclp->nextp < (cm_aclent_t *)cm_data.aclBaseAddress || - aclp->nextp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { - afsi_log("cm_ValidateACLCache failure: out of range cm_aclent_t pointers"); - fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_aclent_t pointers\n"); - return -11; + if ( aclp->nextp) { + if ( aclp->nextp < (cm_aclent_t *)cm_data.aclBaseAddress || + aclp->nextp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { + afsi_log("cm_ValidateACLCache failure: out of range cm_aclent_t pointers"); + fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_aclent_t pointers\n"); + return -11; + } + + if (aclp->nextp->magic != CM_ACLENT_MAGIC) { + afsi_log("cm_ValidateACLCache failure: acpl->nextp->magic != CM_ACLENT_MAGIC"); + fprintf(stderr,"cm_ValidateACLCache failure: acpl->nextp->magic != CM_ACLENT_MAGIC\n"); + return -2; + } } - if (aclp->nextp && aclp->nextp->magic != CM_ACLENT_MAGIC) { - afsi_log("cm_ValidateACLCache failure: acpl->nextp->magic != CM_ACLENT_MAGIC"); - fprintf(stderr,"cm_ValidateACLCache failure: acpl->nextp->magic != CM_ACLENT_MAGIC\n"); - return -2; - } - - if ( aclp->backp < (cm_scache_t *)cm_data.scacheBaseAddress || - aclp->backp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { - afsi_log("cm_ValidateACLCache failure: out of range cm_scache_t pointers"); - fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_scache_t pointers\n"); - return -12; + if ( aclp->backp) { + if ( aclp->backp < (cm_scache_t *)cm_data.scacheBaseAddress || + aclp->backp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { + afsi_log("cm_ValidateACLCache failure: out of range cm_scache_t pointers"); + fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_scache_t pointers\n"); + return -12; + } + + if (aclp->backp->magic != CM_SCACHE_MAGIC) { + afsi_log("cm_ValidateACLCache failure: acpl->backp->magic != CM_SCACHE_MAGIC"); + fprintf(stderr,"cm_ValidateACLCache failure: acpl->backp->magic != CM_SCACHE_MAGIC\n"); + return -3; + } } - if (aclp->backp && aclp->backp->magic != CM_SCACHE_MAGIC) { - afsi_log("cm_ValidateACLCache failure: acpl->backp->magic != CM_SCACHE_MAGIC"); - fprintf(stderr,"cm_ValidateACLCache failure: acpl->backp->magic != CM_SCACHE_MAGIC\n"); - return -3; - } - if (count != 0 && aclp == cm_data.aclLRUp || count > size) { + if (count != 0 && aclp == cm_data.aclLRUp || count > size) { afsi_log("cm_ValidateACLCache failure: loop in cm_data.aclLRUp list"); fprintf(stderr, "cm_ValidateACLCache failure: loop in cm_data.aclLRUp list\n"); return -4; @@ -311,32 +316,36 @@ long cm_ValidateACLCache(void) return -5; } - if ( aclp->nextp < (cm_aclent_t *)cm_data.aclBaseAddress || - aclp->nextp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { - afsi_log("cm_ValidateACLCache failure: out of range cm_aclent_t pointers"); - fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_aclent_t pointers\n"); - return -14; + if ( aclp->nextp) { + if ( aclp->nextp < (cm_aclent_t *)cm_data.aclBaseAddress || + aclp->nextp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { + afsi_log("cm_ValidateACLCache failure: out of range cm_aclent_t pointers"); + fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_aclent_t pointers\n"); + return -14; + } + + if ( aclp->nextp->magic != CM_ACLENT_MAGIC) { + afsi_log("cm_ValidateACLCache failure: aclp->nextp->magic != CM_ACLENT_MAGIC"); + fprintf(stderr, "cm_ValidateACLCache failure: aclp->nextp->magic != CM_ACLENT_MAGIC\n"); + return -6; + } } - if (aclp->nextp && aclp->nextp->magic != CM_ACLENT_MAGIC) { - afsi_log("cm_ValidateACLCache failure: aclp->nextp->magic != CM_ACLENT_MAGIC"); - fprintf(stderr, "cm_ValidateACLCache failure: aclp->nextp->magic != CM_ACLENT_MAGIC\n"); - return -6; - } - - if ( aclp->backp < (cm_scache_t *)cm_data.scacheBaseAddress || - aclp->backp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { - afsi_log("cm_ValidateACLCache failure: out of range cm_scache_t pointers"); - fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_scache_t pointers\n"); - return -15; + if ( aclp->backp) { + if ( aclp->backp < (cm_scache_t *)cm_data.scacheBaseAddress || + aclp->backp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { + afsi_log("cm_ValidateACLCache failure: out of range cm_scache_t pointers"); + fprintf(stderr, "cm_ValidateACLCache failure: out of range cm_scache_t pointers\n"); + return -15; + } + + if ( aclp->backp->magic != CM_SCACHE_MAGIC) { + afsi_log("cm_ValidateACLCache failure: aclp->backp->magic != CM_SCACHE_MAGIC"); + fprintf(stderr, "cm_ValidateACLCache failure: aclp->backp->magic != CM_SCACHE_MAGIC\n"); + return -7; + } } - if (aclp->backp && aclp->backp->magic != CM_SCACHE_MAGIC) { - afsi_log("cm_ValidateACLCache failure: aclp->backp->magic != CM_SCACHE_MAGIC"); - fprintf(stderr, "cm_ValidateACLCache failure: aclp->backp->magic != CM_SCACHE_MAGIC\n"); - return -7; - } - if (count != 0 && aclp == cm_data.aclLRUEndp || count > size) { afsi_log("cm_ValidateACLCache failure: loop in cm_data.aclLRUEndp list"); fprintf(stderr, "cm_ValidateACLCache failure: loop in cm_data.aclLRUEndp list\n"); diff --git a/src/WINNT/afsd/cm_scache.c b/src/WINNT/afsd/cm_scache.c index a619428..257689b 100644 --- a/src/WINNT/afsd/cm_scache.c +++ b/src/WINNT/afsd/cm_scache.c @@ -538,31 +538,35 @@ cm_ValidateSCache(void) return -1; } - if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || - scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); - return -21; + if ( scp->nextp) { + if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || + scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); + return -21; + } + + if ( scp->nextp->magic != CM_SCACHE_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); + return -2; + } } - if (scp->nextp && scp->nextp->magic != CM_SCACHE_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); - return -2; - } + if ( scp->randomACLp) { + if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || + scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); + return -32; + } - if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || - scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); - return -32; + if ( scp->randomACLp->magic != CM_ACLENT_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); + return -3; + } } - - if (scp->randomACLp && scp->randomACLp->magic != CM_ACLENT_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); - return -3; - } if (i > cm_data.currentSCaches ) { afsi_log("cm_ValidateSCache failure: LRU First queue loops"); fprintf(stderr, "cm_ValidateSCache failure: LUR First queue loops\n"); @@ -591,32 +595,37 @@ cm_ValidateSCache(void) return -5; } - if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || - scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); - return -22; + if ( scp->nextp) { + if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || + scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); + return -22; + } + + if ( scp->nextp->magic != CM_SCACHE_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); + return -6; + } } - if (scp->nextp && scp->nextp->magic != CM_SCACHE_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); - return -6; - } + if ( scp->randomACLp) { + if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || + scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); + return -31; + } - if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || - scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); - return -31; + if ( scp->randomACLp->magic != CM_ACLENT_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); + return -7; + } } - if (scp->randomACLp && scp->randomACLp->magic != CM_ACLENT_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); - return -7; - } - if (i > cm_data.currentSCaches ) { + if (i > cm_data.currentSCaches ) { afsi_log("cm_ValidateSCache failure: LRU Last queue loops"); fprintf(stderr, "cm_ValidateSCache failure: LUR Last queue loops\n"); return -14; @@ -647,32 +656,37 @@ cm_ValidateSCache(void) return -9; } - if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || - scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); - return -23; + if ( scp->nextp) { + if ( scp->nextp < (cm_scache_t *)cm_data.scacheBaseAddress || + scp->nextp >= (cm_scache_t *)cm_data.dnlcBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_scache_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_scache_t pointers\n"); + return -23; + } + + if ( scp->nextp->magic != CM_SCACHE_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); + return -10; + } } - if (scp->nextp && scp->nextp->magic != CM_SCACHE_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->nextp->magic != CM_SCACHE_MAGIC\n"); - return -10; - } + if ( scp->randomACLp) { + if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || + scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { + afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); + fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); + return -30; + } - if ( scp->randomACLp < (cm_aclent_t *)cm_data.aclBaseAddress || - scp->randomACLp >= (cm_aclent_t *)cm_data.scacheBaseAddress) { - afsi_log("cm_ValidateSCache failure: out of range cm_aclent_t pointers"); - fprintf(stderr, "cm_ValidateSCache failure: out of range cm_aclent_t pointers\n"); - return -30; + if ( scp->randomACLp->magic != CM_ACLENT_MAGIC) { + afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); + fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); + return -11; + } } - if (scp->randomACLp && scp->randomACLp->magic != CM_ACLENT_MAGIC) { - afsi_log("cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC"); - fprintf(stderr, "cm_ValidateSCache failure: scp->randomACLp->magic != CM_ACLENT_MAGIC\n"); - return -11; - } - if (hash != i) { + if (hash != i) { afsi_log("cm_ValidateSCache failure: scp hash != hash index"); fprintf(stderr, "cm_ValidateSCache failure: scp hash != hash index\n"); return -13; diff --git a/src/WINNT/afsd/cm_volume.c b/src/WINNT/afsd/cm_volume.c index 87ad865..8aeece1 100644 --- a/src/WINNT/afsd/cm_volume.c +++ b/src/WINNT/afsd/cm_volume.c @@ -59,18 +59,20 @@ cm_ValidateVolume(void) return -2; } - if ( volp->allNextp < (cm_volume_t *)cm_data.volumeBaseAddress || - volp->allNextp >= (cm_volume_t *)cm_data.cellBaseAddress) { - afsi_log("cm_ValidateVolume failure: out of range cm_volume_t pointers"); - fprintf(stderr, "cm_ValidateVolume failure: out of range cm_volume_t pointers\n"); - return -12; - } + if ( volp->allNextp) { + if ( volp->allNextp < (cm_volume_t *)cm_data.volumeBaseAddress || + volp->allNextp >= (cm_volume_t *)cm_data.cellBaseAddress) { + afsi_log("cm_ValidateVolume failure: out of range cm_volume_t pointers"); + fprintf(stderr, "cm_ValidateVolume failure: out of range cm_volume_t pointers\n"); + return -12; + } - if ( volp->allNextp && volp->allNextp->magic != CM_VOLUME_MAGIC ) { - afsi_log("cm_ValidateVolume failure: volp->allNextp->magic != CM_VOLUME_MAGIC"); - fprintf(stderr, "cm_ValidateVolume failure: volp->allNextp->magic != CM_VOLUME_MAGIC\n"); - return -3; - } + if ( volp->allNextp->magic != CM_VOLUME_MAGIC ) { + afsi_log("cm_ValidateVolume failure: volp->allNextp->magic != CM_VOLUME_MAGIC"); + fprintf(stderr, "cm_ValidateVolume failure: volp->allNextp->magic != CM_VOLUME_MAGIC\n"); + return -3; + } + } if ( count != 0 && volp == cm_data.allVolumesp || count > cm_data.maxVolumes ) { -- 1.9.4