hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-7455) quote_and_append_arg can overflow buffer
Date Thu, 09 Nov 2017 17:01:00 GMT

     [ https://issues.apache.org/jira/browse/YARN-7455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jason Lowe updated YARN-7455:
-----------------------------
    Summary: quote_and_append_arg can overflow buffer  (was: add_mounts can overrun temporary
buffer)

The code always uses quote_and_append_arg which takes the dest buffer size as a limit and
checks against it, so we'd be fine as long as quote_and_append_arg does its job.  However
quote_and_append_arg doesn't check the sizes properly:
{code}
void quote_and_append_arg(char **str, size_t *size, const char* param, const char *arg) {
  char *tmp = escape_single_quote(arg);
  int alloc_block = 1024;
  strcat(*str, param);
  strcat(*str, "'");
  if (strlen(*str) + strlen(tmp) > *size) {
    *size = (strlen(*str) + strlen(tmp) + alloc_block) * sizeof(char);
    *str = (char *) realloc(*str, *size);
    if (*str == NULL) {
      exit(OUT_OF_MEMORY);
    }
  }
  strcat(*str, tmp);
  strcat(*str, "' ");
{code}

There are a number of problem here:
# The param argument is blindly appended to the destination buffer without checking if there's
room in the buffer.
# There's no buffer size accounting for the prefix and postfix quoting characters placed around
the {{arg}} input string.
# The {{strlen(*str) + strlen(tmp) > size}} has an off-by-one error since it doesn't account
for the terminating NUL character.

In addition to fixing these problems, quote_and_append_arg should return the size of the destination
buffer so callers can properly propagate the new buffer size when quote_and_append_arg resizes
the buffer.

Bonus points for eliminating the many redundant, implicit strlen calls that are occurring
in this function via all the strcat calls.  We should only have to compute the length of the
input strings once, and the length of any computed string can be trivially derived once we
know the length of the inputs.


> quote_and_append_arg can overflow buffer
> ----------------------------------------
>
>                 Key: YARN-7455
>                 URL: https://issues.apache.org/jira/browse/YARN-7455
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Jason Lowe
>
> While reviewing YARN-7197 I noticed that add_mounts in docker_util.c has a potential
buffer overflow since tmp_buffer is only 1024 bytes which may not be sufficient to hold the
specified mount path.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message