I came across a tdb which had wrapped to 4G + 4K, and the contents had been
destroyed by processes which thought it only 4k long. Fix this by checking
on open, and making tdb_oob() check for wrap itself.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
(Ported from tdb1 SAMBA commit
b64494535dc62f4073fc6302847593ed6e6ec38b)
off, rec->next);
goto corrupt;
}
off, rec->next);
goto corrupt;
}
- if (tdb->tdb1.io->tdb1_oob(tdb, rec->next+sizeof(*rec), 0))
+ if (tdb->tdb1.io->tdb1_oob(tdb, rec->next, sizeof(*rec), 0))
goto corrupt;
/* Check rec_len: similar to rec->next, implies next record. */
goto corrupt;
/* Check rec_len: similar to rec->next, implies next record. */
goto corrupt;
}
/* OOB allows "right at the end" access, so this works for last rec. */
goto corrupt;
}
/* OOB allows "right at the end" access, so this works for last rec. */
- if (tdb->tdb1.io->tdb1_oob(tdb, off+sizeof(*rec)+rec->rec_len, 0))
+ if (tdb->tdb1.io->tdb1_oob(tdb, off, sizeof(*rec)+rec->rec_len, 0))
goto corrupt;
/* Check tailer. */
goto corrupt;
/* Check tailer. */
}
/* Make sure we know true size of the underlying file. */
}
/* Make sure we know true size of the underlying file. */
- tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size + 1, 1);
+ tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size, 1, 1);
/* Header must be OK: also gets us the recovery ptr, if any. */
if (!tdb1_check_header(tdb, &recovery_start))
/* Header must be OK: also gets us the recovery ptr, if any. */
if (!tdb1_check_header(tdb, &recovery_start))
rec->magic, off);
return -1;
}
rec->magic, off);
return -1;
}
- if (tdb->tdb1.io->tdb1_oob(tdb, rec->next+sizeof(*rec), 0) != 0)
+ if (tdb->tdb1.io->tdb1_oob(tdb, rec->next, sizeof(*rec), 0) != 0)
if necessary
note that "len" is the minimum length needed for the db
*/
if necessary
note that "len" is the minimum length needed for the db
*/
-static int tdb1_oob(struct tdb_context *tdb, tdb1_off_t len, int probe)
+static int tdb1_oob(struct tdb_context *tdb, tdb1_off_t off, tdb1_len_t len,
+ int probe)
- if (len <= tdb->file->map_size)
+ if (len + off < len) {
+ if (!probe) {
+ tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
+ "tdb1_oob off %d len %d wrap\n",
+ (int)off, (int)len);
+ }
+ return -1;
+ }
+
+ if (off + len <= tdb->file->map_size)
return 0;
if (tdb->flags & TDB_INTERNAL) {
if (!probe) {
tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
return 0;
if (tdb->flags & TDB_INTERNAL) {
if (!probe) {
tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
- "tdb1_oob len %d beyond internal malloc size %d",
- (int)len, (int)tdb->file->map_size);
+ "tdb1_oob len %d beyond internal malloc size %u",
+ (int)(off + len), (int)tdb->file->map_size);
- if (st.st_size < (size_t)len) {
+ if (st.st_size < (size_t)off + len) {
if (!probe) {
tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
if (!probe) {
tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
- "tdb1_oob len %d beyond eof at %d",
- (int)len, (int)st.st_size);
+ "tdb1_oob len %u beyond eof at %u",
+ (int)(off + len), (int)st.st_size);
+ /* Beware >4G files! */
+ if ((tdb1_off_t)st.st_size != st.st_size) {
+ tdb->last_error = tdb_logerr(tdb, TDB_ERR_IO, TDB_LOG_ERROR,
+ "tdb1_oob len %llu too large!\n",
+ (long long)st.st_size);
+ return -1;
+ }
+
/* Unmap, update size, remap */
if (tdb1_munmap(tdb) == -1) {
tdb->last_error = TDB_ERR_IO;
/* Unmap, update size, remap */
if (tdb1_munmap(tdb) == -1) {
tdb->last_error = TDB_ERR_IO;
- if (tdb->tdb1.io->tdb1_oob(tdb, off + len, 0) != 0)
+ if (tdb->tdb1.io->tdb1_oob(tdb, off, len, 0) != 0)
return -1;
if (tdb->file->map_ptr) {
return -1;
if (tdb->file->map_ptr) {
static int tdb1_read(struct tdb_context *tdb, tdb1_off_t off, void *buf,
tdb1_len_t len, int cv)
{
static int tdb1_read(struct tdb_context *tdb, tdb1_off_t off, void *buf,
tdb1_len_t len, int cv)
{
- if (tdb->tdb1.io->tdb1_oob(tdb, off + len, 0) != 0) {
+ if (tdb->tdb1.io->tdb1_oob(tdb, off, len, 0) != 0) {
}
/* must know about any previous expansions by another process */
}
/* must know about any previous expansions by another process */
- tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size + 1, 1);
+ tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size, 1, 1);
/* limit size in order to avoid using up huge amounts of memory for
* in memory tdbs if an oddball huge record creeps in */
/* limit size in order to avoid using up huge amounts of memory for
* in memory tdbs if an oddball huge record creeps in */
* Optimize by avoiding the malloc/memcpy/free, point the
* parser directly at the mmap area.
*/
* Optimize by avoiding the malloc/memcpy/free, point the
* parser directly at the mmap area.
*/
- if (tdb->tdb1.io->tdb1_oob(tdb, offset+len, 0) != 0) {
+ if (tdb->tdb1.io->tdb1_oob(tdb, offset, len, 0) != 0) {
return tdb->last_error;
}
data.dptr = offset + (unsigned char *)tdb->file->map_ptr;
return tdb->last_error;
}
data.dptr = offset + (unsigned char *)tdb->file->map_ptr;
rec->magic, offset);
return -1;
}
rec->magic, offset);
return -1;
}
- return tdb->tdb1.io->tdb1_oob(tdb, rec->next+sizeof(*rec), 0);
+ return tdb->tdb1.io->tdb1_oob(tdb, rec->next, sizeof(*rec), 0);
}
int tdb1_rec_write(struct tdb_context *tdb, tdb1_off_t offset, struct tdb1_record *rec)
}
int tdb1_rec_write(struct tdb_context *tdb, tdb1_off_t offset, struct tdb1_record *rec)
enum TDB_ERROR tdb1_probe_length(struct tdb_context *tdb)
{
tdb->last_error = TDB_SUCCESS;
enum TDB_ERROR tdb1_probe_length(struct tdb_context *tdb)
{
tdb->last_error = TDB_SUCCESS;
- tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size + 1, true);
+ tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size, 1, true);
return tdb->last_error;
}
return tdb->last_error;
}
int (*tdb1_read)(struct tdb_context *, tdb1_off_t , void *, tdb1_len_t , int );
int (*tdb1_write)(struct tdb_context *, tdb1_off_t, const void *, tdb1_len_t);
void (*next_hash_chain)(struct tdb_context *, uint32_t *);
int (*tdb1_read)(struct tdb_context *, tdb1_off_t , void *, tdb1_len_t , int );
int (*tdb1_write)(struct tdb_context *, tdb1_off_t, const void *, tdb1_len_t);
void (*next_hash_chain)(struct tdb_context *, uint32_t *);
- int (*tdb1_oob)(struct tdb_context *, tdb1_off_t , int );
+ int (*tdb1_oob)(struct tdb_context *, tdb1_off_t, tdb1_len_t, int );
int (*tdb1_expand_file)(struct tdb_context *, tdb1_off_t , tdb1_off_t );
};
int (*tdb1_expand_file)(struct tdb_context *, tdb1_off_t , tdb1_off_t );
};
/*
out of bounds check during a transaction
*/
/*
out of bounds check during a transaction
*/
-static int transaction1_oob(struct tdb_context *tdb, tdb1_off_t len, int probe)
+static int transaction1_oob(struct tdb_context *tdb, tdb1_off_t off, tdb1_off_t len, int probe)
- if (len <= tdb->file->map_size) {
+ if (off + len >= off && off + len <= tdb->file->map_size) {
return 0;
}
tdb->last_error = TDB_ERR_IO;
return 0;
}
tdb->last_error = TDB_ERR_IO;
/* make sure we know about any file expansions already done by
anyone else */
/* make sure we know about any file expansions already done by
anyone else */
- tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size + 1, 1);
+ tdb->tdb1.io->tdb1_oob(tdb, tdb->file->map_size, 1, 1);
tdb->tdb1.transaction->old_map_size = tdb->file->map_size;
/* finally hook the io methods, replacing them with
tdb->tdb1.transaction->old_map_size = tdb->file->map_size;
/* finally hook the io methods, replacing them with
tdb->stats.transaction_expand_file++;
/* remap the file (if using mmap) */
tdb->stats.transaction_expand_file++;
/* remap the file (if using mmap) */
- methods->tdb1_oob(tdb, tdb->file->map_size + 1, 1);
+ methods->tdb1_oob(tdb, tdb->file->map_size, 1, 1);
/* we have to reset the old map size so that we don't try to expand the file
again in the transaction commit, which would destroy the recovery area */
/* we have to reset the old map size so that we don't try to expand the file
again in the transaction commit, which would destroy the recovery area */
}
tdb->stats.transaction_expand_file++;
tdb->file->map_size = tdb->tdb1.transaction->old_map_size;
}
tdb->stats.transaction_expand_file++;
tdb->file->map_size = tdb->tdb1.transaction->old_map_size;
- methods->tdb1_oob(tdb, tdb->file->map_size + 1, 1);
+ methods->tdb1_oob(tdb, tdb->file->map_size, 1, 1);
}
/* Keep the open lock until the actual commit */
}
/* Keep the open lock until the actual commit */