Project

General

Profile

Actions
Copy link

Bug #8447

closed

librados: buffer overflow in rados_pool_list

Added by Noah Watkins almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
High
Assignee:
Sage Weil
Category:
-
Target version:
-
% Done:

0%

Source:
Development
Tags:
Backport:
firefly
Regression:
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

When input `len` is small and non-zero `strncat` will correctly avoid overflowing the input buffer, but then `len -= rl;` will cause `len` to wrap around to a large positive value and then additional calls to `strncat` will overflow the input buffer.

Actions
Copy link
 #1

Updated by Sage Weil almost 10 years ago

  • Priority changed from Normal to Urgent
  • Source changed from other to Development
Actions
Copy link
 #2

Updated by Sage Weil almost 10 years ago

  • Assignee set to Sage Weil
Actions
Copy link
 #3

Updated by Sage Weil almost 10 years ago

  • Status changed from New to Fix Under Review
Actions
Copy link
 #4

Updated by Sage Weil almost 10 years ago

  • Status changed from Fix Under Review to Pending Backport
  • Priority changed from Urgent to High
Actions
Copy link
 #5

Updated by Sage Weil almost 10 years ago

  • Status changed from Pending Backport to Resolved
  • Backport set to firefly
Actions
Copy link

Also available in: Atom PDF