Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Jul 2016 11:20:00 +0000 (UTC)
From:      Andriy Gapon <avg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r302642 - vendor-sys/illumos/dist/uts/common/fs/zfs vendor/illumos/dist/lib/libzfs/common
Message-ID:  <201607121120.u6CBK0N5089357@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: avg
Date: Tue Jul 12 11:20:00 2016
New Revision: 302642
URL: https://svnweb.freebsd.org/changeset/base/302642

Log:
  6876 Stack corruption after importing a pool with a too-long name
  
  illumos/illumos-gate@c971037baa5d64dfecf6d87ed602fc3116ebec41
  https://github.com/illumos/illumos-gate/commit/c971037baa5d64dfecf6d87ed602fc3116ebec41
  
  https://www.illumos.org/issues/6876
    Calling dsl_dataset_name on a dataset with a 256 byte buffer is asking for
    trouble. We should check every dataset on import, using a 1024 byte buffer and
    checking each time to see if the dataset's new name is longer than 256 bytes.
  
  Reviewed by: Prakash Surya <prakash.surya@delphix.com>
  Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
  Reviewed by: George Wilson <george.wilson@delphix.com>
  Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
  Approved by: Richard Lowe <richlowe@richlowe.net>
  Author: Paul Dagnelie <pcd@delphix.com>

Modified:
  vendor-sys/illumos/dist/uts/common/fs/zfs/spa.c

Changes in other areas also in this revision:
Modified:
  vendor/illumos/dist/lib/libzfs/common/libzfs_pool.c

Modified: vendor-sys/illumos/dist/uts/common/fs/zfs/spa.c
==============================================================================
--- vendor-sys/illumos/dist/uts/common/fs/zfs/spa.c	Tue Jul 12 11:18:25 2016	(r302641)
+++ vendor-sys/illumos/dist/uts/common/fs/zfs/spa.c	Tue Jul 12 11:20:00 2016	(r302642)
@@ -1926,6 +1926,19 @@ spa_load_verify_cb(spa_t *spa, zilog_t *
 	return (0);
 }
 
+/* ARGSUSED */
+int
+verify_dataset_name_len(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
+{
+	char namebuf[MAXPATHLEN];
+	dsl_dataset_name(ds, namebuf);
+	if (strlen(namebuf) > MAXNAMELEN) {
+		return (SET_ERROR(ENAMETOOLONG));
+	}
+
+	return (0);
+}
+
 static int
 spa_load_verify(spa_t *spa)
 {
@@ -1940,6 +1953,14 @@ spa_load_verify(spa_t *spa)
 	if (policy.zrp_request & ZPOOL_NEVER_REWIND)
 		return (0);
 
+	dsl_pool_config_enter(spa->spa_dsl_pool, FTAG);
+	error = dmu_objset_find_dp(spa->spa_dsl_pool,
+	    spa->spa_dsl_pool->dp_root_dir_obj, verify_dataset_name_len, NULL,
+	    DS_FIND_CHILDREN);
+	dsl_pool_config_exit(spa->spa_dsl_pool, FTAG);
+	if (error != 0)
+		return (error);
+
 	rio = zio_root(spa, NULL, &sle,
 	    ZIO_FLAG_CANFAIL | ZIO_FLAG_SPECULATIVE);
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607121120.u6CBK0N5089357>