From: Alan Somers <asomers@gmail.com>
Date: Tue, 15 Oct 2013 20:06:06 +0000 (-0700)
Subject: ceph-dencoder: select_generated() should properly validate its input
X-Git-Tag: v0.72-rc1~57
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=26228ed701870a3625a41f798359d4e550b248b8;p=ceph.git

ceph-dencoder: select_generated() should properly validate its input

If m_list.size() == 0, then calling select_generated(0) will result in
uninitialized data being assigned to m_object, which will cause a segfault
down the road. This patch fixes that.

To Reproduce:
$ ceph-dencoder type MWatchNotify select_test 0 encode decode
Segmentation fault (core dumped)

After the patch:
$ ./ceph-dencoder type MWatchNotify select_test 0 encode decode
error: invalid id for generated object
$ echo $?
1

Fixes: #6510
Signed-off-by: Alan Somers <asomers@gmail.com>
---

diff --git a/src/test/encoding/ceph_dencoder.cc b/src/test/encoding/ceph_dencoder.cc
index 81abcd1de9e3..dbed6f524d80 100644
--- a/src/test/encoding/ceph_dencoder.cc
+++ b/src/test/encoding/ceph_dencoder.cc
@@ -93,7 +93,7 @@ public:
     // allow 0- or 1-based (by wrapping)
     if (i == 0)
       i = m_list.size();
-    if (i > m_list.size())
+    if ((i == 0) || (i > m_list.size()))
       return "invalid id for generated object";
     typename list<T*>::iterator p = m_list.begin();
     for (i--; i > 0 && p != m_list.end(); ++p, --i) ;
@@ -177,7 +177,7 @@ public:
     // allow 0- or 1-based (by wrapping)
     if (i == 0)
       i = m_list.size();
-    if (i > m_list.size())
+    if ((i == 0) || (i > m_list.size()))
       return "invalid id for generated object";
     typename list<T*>::iterator p = m_list.begin();
     for (i--; i > 0 && p != m_list.end(); ++p, --i) ;