Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id AE357200D37 for ; Thu, 9 Nov 2017 18:01:05 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id ACCBC160C04; Thu, 9 Nov 2017 17:01:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id F326D1609C8 for ; Thu, 9 Nov 2017 18:01:04 +0100 (CET) Received: (qmail 75030 invoked by uid 500); 9 Nov 2017 17:01:04 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 75018 invoked by uid 99); 9 Nov 2017 17:01:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Nov 2017 17:01:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 3F57E1807B6 for ; Thu, 9 Nov 2017 17:01:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id pkCUrl1s1L2o for ; Thu, 9 Nov 2017 17:01:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 29D405FC81 for ; Thu, 9 Nov 2017 17:01:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 72AECE259A for ; Thu, 9 Nov 2017 17:01:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id E23AD2410A for ; Thu, 9 Nov 2017 17:01:00 +0000 (UTC) Date: Thu, 9 Nov 2017 17:01:00 +0000 (UTC) From: "Jason Lowe (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (YARN-7455) quote_and_append_arg can overflow buffer MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 09 Nov 2017 17:01:05 -0000 [ https://issues.apache.org/jira/browse/YARN-7455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Lowe updated YARN-7455: ----------------------------- Summary: quote_and_append_arg can overflow buffer (was: add_mounts can overrun temporary buffer) The code always uses quote_and_append_arg which takes the dest buffer size as a limit and checks against it, so we'd be fine as long as quote_and_append_arg does its job. However quote_and_append_arg doesn't check the sizes properly: {code} void quote_and_append_arg(char **str, size_t *size, const char* param, const char *arg) { char *tmp = escape_single_quote(arg); int alloc_block = 1024; strcat(*str, param); strcat(*str, "'"); if (strlen(*str) + strlen(tmp) > *size) { *size = (strlen(*str) + strlen(tmp) + alloc_block) * sizeof(char); *str = (char *) realloc(*str, *size); if (*str == NULL) { exit(OUT_OF_MEMORY); } } strcat(*str, tmp); strcat(*str, "' "); {code} There are a number of problem here: # The param argument is blindly appended to the destination buffer without checking if there's room in the buffer. # There's no buffer size accounting for the prefix and postfix quoting characters placed around the {{arg}} input string. # The {{strlen(*str) + strlen(tmp) > size}} has an off-by-one error since it doesn't account for the terminating NUL character. In addition to fixing these problems, quote_and_append_arg should return the size of the destination buffer so callers can properly propagate the new buffer size when quote_and_append_arg resizes the buffer. Bonus points for eliminating the many redundant, implicit strlen calls that are occurring in this function via all the strcat calls. We should only have to compute the length of the input strings once, and the length of any computed string can be trivially derived once we know the length of the inputs. > quote_and_append_arg can overflow buffer > ---------------------------------------- > > Key: YARN-7455 > URL: https://issues.apache.org/jira/browse/YARN-7455 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Affects Versions: 2.9.0, 3.0.0 > Reporter: Jason Lowe > > While reviewing YARN-7197 I noticed that add_mounts in docker_util.c has a potential buffer overflow since tmp_buffer is only 1024 bytes which may not be sufficient to hold the specified mount path. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org