From: Andre Noll <maan@tuebingen.mpg.de>
Date: Thu, 22 Dec 2016 01:38:05 +0000 (+0100)
Subject: para_server: Never read past the end of the chunk table.
X-Git-Tag: v0.6.0~7^2~23
X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=commitdiff_plain;h=e0f54e42887a8beef092755f5ed9cdf6d499bef2

para_server: Never read past the end of the chunk table.

If the server command "ls" is executed with the -c option to print
the chunk table, we assume that afhi->chunks_total many chunks are
stored in the osl disk object that represents the chunk table.

This should be true in general, but since we also know the size of
the osl object, it does not hurt to check this bound as well and
break out of the loop if the next read would access memory beyond
the end of the object.
---

diff --git a/aft.c b/aft.c
index bfcd1fb0..8b9d85b5 100644
--- a/aft.c
+++ b/aft.c
@@ -820,7 +820,11 @@ static int print_chunk_table(struct ls_data *d, struct para_buffer *b)
 		(long unsigned) d->afhi.chunk_tv.tv_usec
 	);
 	buf = chunk_table_obj.data;
-	for (i = 0; i <= d->afhi.chunks_total; i++)
+	for (
+		i = 0;
+		i <= d->afhi.chunks_total && 4 * i + 3 < chunk_table_obj.size;
+		i++
+	)
 		para_printf(b, "%u ", (unsigned) read_u32(buf + 4 * i));
 	para_printf(b, "\n");
 	ret = 1;