From b2ab85101e2ddf92a8e6318ae874f8e82be054b3 Mon Sep 17 00:00:00 2001
From: Brad Hubbard <bhubbard@redhat.com>
Date: Tue, 28 Mar 2017 13:16:43 +1000
Subject: [PATCH] common: Fix heap buffer overflow in do_request

Fixes: http://tracker.ceph.com/issues/19393
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
---
 src/common/admin_socket_client.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/common/admin_socket_client.cc b/src/common/admin_socket_client.cc
index 875056028959..31346b98ce6d 100644
--- a/src/common/admin_socket_client.cc
+++ b/src/common/admin_socket_client.cc
@@ -138,8 +138,7 @@ std::string AdminSocketClient::ping(bool *ok)
 std::string AdminSocketClient::do_request(std::string request, std::string *result)
 {
   int socket_fd = 0, res;
-  std::vector<uint8_t> vec(65536, 0);
-  uint8_t *buffer = &vec[0];
+  std::string buffer;
   uint32_t message_size_raw, message_size;
 
   std::string err = asok_connect(m_path, &socket_fd);
@@ -161,7 +160,8 @@ std::string AdminSocketClient::do_request(std::string request, std::string *resu
     goto done;
   }
   message_size = ntohl(message_size_raw);
-  res = safe_read_exact(socket_fd, buffer, message_size);
+  buffer.resize(message_size, 0);
+  res = safe_read_exact(socket_fd, &buffer[0], message_size);
   if (res < 0) {
     int e = res;
     ostringstream oss;
@@ -169,8 +169,8 @@ std::string AdminSocketClient::do_request(std::string request, std::string *resu
     err = oss.str();
     goto done;
   }
-  //printf("MESSAGE FROM SERVER: %s\n", buffer);
-  result->assign((const char*)buffer);
+  //printf("MESSAGE FROM SERVER: %s\n", buffer.c_str());
+  std::swap(*result, buffer);
 done:
   close(socket_fd);
  out:
-- 
2.47.3