para_server: Never read past the end of the chunk table.

If the server command "ls" is executed with the -c option to print
the chunk table, we assume that afhi->chunks_total many chunks are
stored in the osl disk object that represents the chunk table.

This should be true in general, but since we also know the size of
the osl object, it does not hurt to check this bound as well and
break out of the loop if the next read would access memory beyond
the end of the object.

diff --git a/aft.c b/aft.c
index bfcd1fb0162fe8a8a03c0f5ba165acc60be71cf0..8b9d85b5d1010ea57b779082969a21700bd12b93 100644 (file)
--- a/aft.c
+++ b/aft.c
@@ -820,7 +820,11 @@ static int print_chunk_table(struct ls_data *d, struct para_buffer *b)
                (long unsigned) d->afhi.chunk_tv.tv_usec
        );
        buf = chunk_table_obj.data;
                (long unsigned) d->afhi.chunk_tv.tv_usec
        );
        buf = chunk_table_obj.data;

-       for (i = 0; i <= d->afhi.chunks_total; i++)
+       for (
+               i = 0;
+               i <= d->afhi.chunks_total && 4 * i + 3 < chunk_table_obj.size;
+               i++
+       )

                para_printf(b, "%u ", (unsigned) read_u32(buf + 4 * i));
        para_printf(b, "\n");
        ret = 1;
                para_printf(b, "%u ", (unsigned) read_u32(buf + 4 * i));
        para_printf(b, "\n");
        ret = 1;