From 6ef9ef38f5fbda2a07be81f1420b0826f26d173b Mon Sep 17 00:00:00 2001 From: oetiker Date: Fri, 3 Oct 2008 22:53:28 +0000 Subject: [PATCH] The patch fixs rrdtools behaviour when presented with trunkated rrd files. * Make sure that we do not extend past the end of the file when reading the header. * Makes sure that the data portion of the file is large enough, based on the ds_cnt and the total number of RRA rows -- kevin brintnall git-svn-id: svn://svn.oetiker.ch/rrdtool/branches/1.3@1570 a5681a0c-68f1-0310-ab6d-d61299d08faa --- program/src/rrd_open.c | 49 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/program/src/rrd_open.c b/program/src/rrd_open.c index a6c04e28..81986472 100644 --- a/program/src/rrd_open.c +++ b/program/src/rrd_open.c @@ -21,16 +21,30 @@ /* the cast to void* is there to avoid this warning seen on ia64 with certain versions of gcc: 'cast increases required alignment of target type' */ -#define __rrd_read(dst, dst_t, cnt) \ +#define __rrd_read(dst, dst_t, cnt) { \ + size_t wanted = sizeof(dst_t)*(cnt); \ + if (offset + wanted > rrd_file->file_len) { \ + rrd_set_error("reached EOF while loading header " #dst); \ + goto out_nullify_head; \ + } \ (dst) = (dst_t*)(void*) (data + offset); \ - offset += sizeof(dst_t) * (cnt) + offset += wanted; \ + } #else -#define __rrd_read(dst, dst_t, cnt) \ - if ((dst = malloc(sizeof(dst_t)*(cnt))) == NULL) { \ +#define __rrd_read(dst, dst_t, cnt) { \ + size_t wanted = sizeof(dst_t)*(cnt); \ + size_t got; \ + if ((dst = malloc(wanted)) == NULL) { \ rrd_set_error(#dst " malloc"); \ goto out_nullify_head; \ } \ - offset += read (rrd_file->fd, dst, sizeof(dst_t)*(cnt)) + got = read (rrd_file->fd, dst, wanted); \ + if (got != wanted) { \ + rrd_set_error("short read while reading header " #dst); \ + goto out_nullify_head; \ + } \ + offset += got; \ + } #endif /* get the address of the start of this page */ @@ -58,7 +72,7 @@ rrd_file_t *rrd_open( #ifdef HAVE_MMAP ssize_t _page_size = sysconf(_SC_PAGESIZE); int mm_prot = PROT_READ, mm_flags = 0; - char *data; + char *data = MAP_FAILED; #endif off_t offset = 0; struct stat statb; @@ -257,11 +271,34 @@ rrd_file_t *rrd_open( rrd_file->header_len = offset; rrd_file->pos = offset; + + { + unsigned long row_cnt = 0; + unsigned long i; + + for (i=0; istat_head->rra_cnt; i++) + row_cnt += rrd->rra_def[i].row_cnt; + + off_t correct_len = rrd_file->header_len + + sizeof(rrd_value_t) * row_cnt * rrd->stat_head->ds_cnt; + + if (correct_len > rrd_file->file_len) + { + rrd_set_error("'%s' is too small (should be %ld bytes)", + file_name, (long long) correct_len); + goto out_nullify_head; + } + } + out_done: return (rrd_file); out_nullify_head: rrd->stat_head = NULL; out_close: +#ifdef HAVE_MMAP + if (data != MAP_FAILED) + munmap(data, rrd_file->file_len); +#endif close(rrd_file->fd); out_free: free(rrd_file); -- 2.30.2