From: Brad Hubbard <bhubbard@redhat.com>
Date: Tue, 28 Mar 2017 03:16:43 +0000 (+1000)
Subject: common: Fix heap buffer overflow in do_request
X-Git-Tag: v12.0.2~235^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b2ab85101e2ddf92a8e6318ae874f8e82be054b3;p=ceph.git

common: Fix heap buffer overflow in do_request

Fixes: http://tracker.ceph.com/issues/19393
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
---

diff --git a/src/common/admin_socket_client.cc b/src/common/admin_socket_client.cc
index 875056028959..31346b98ce6d 100644
--- a/src/common/admin_socket_client.cc
+++ b/src/common/admin_socket_client.cc
@@ -138,8 +138,7 @@ std::string AdminSocketClient::ping(bool *ok)
 std::string AdminSocketClient::do_request(std::string request, std::string *result)
 {
   int socket_fd = 0, res;
-  std::vector<uint8_t> vec(65536, 0);
-  uint8_t *buffer = &vec[0];
+  std::string buffer;
   uint32_t message_size_raw, message_size;
 
   std::string err = asok_connect(m_path, &socket_fd);
@@ -161,7 +160,8 @@ std::string AdminSocketClient::do_request(std::string request, std::string *resu
     goto done;
   }
   message_size = ntohl(message_size_raw);
-  res = safe_read_exact(socket_fd, buffer, message_size);
+  buffer.resize(message_size, 0);
+  res = safe_read_exact(socket_fd, &buffer[0], message_size);
   if (res < 0) {
     int e = res;
     ostringstream oss;
@@ -169,8 +169,8 @@ std::string AdminSocketClient::do_request(std::string request, std::string *resu
     err = oss.str();
     goto done;
   }
-  //printf("MESSAGE FROM SERVER: %s\n", buffer);
-  result->assign((const char*)buffer);
+  //printf("MESSAGE FROM SERVER: %s\n", buffer.c_str());
+  std::swap(*result, buffer);
 done:
   close(socket_fd);
  out: