Menu
▾
▴
[Bacula-bugs] [bacula 0001131]: bacula-fd crash with strippath > 0, if striping path to root
|
From: <bac...@li...> - 2008-07-29 15:42:49
|
The following issue has been SUBMITTED. ====================================================================== http://bugs.bacula.org/view.php?id=1131 ====================================================================== Reported By: Sven Assigned To: ====================================================================== Project: bacula Issue ID: 1131 Category: File Daemon Reproducibility: always Severity: crash Priority: normal Status: new ====================================================================== Date Submitted: 07-29-2008 16:42 BST Last Modified: 07-29-2008 16:42 BST ====================================================================== Summary: bacula-fd crash with strippath > 0, if striping path to root Description: If I strip the path down to the root, bacula-fd crashes. For example: FileSet { Name = "Full Set Webserver" Include { Options { strippath = 3; } File = /root/backup/lvmRootMount } } Crashes with a segfault like in BUG 1047, if strippath is 4, 3 is ok. Logs shows, the path isn´t stripped down as needed. /root/backup/rootMount/etc -> should get / /root/backup/rootMount/etc -> is striped to /root/backup/rootMount/etc but /root/backup/rootMount/etc/additional -> is striped to /additional Hunting in the source backup.c I found out, if it´s striped to root, the return value is ioncorrect, am I right? the value should be true if stripping can be done. It can be done if numsep >= count. So I changed numsep>count to numsep>=count and bacula works well then. There´s also a possibility to generate a buffer overflow in this function if a malliscious path will be used within this function. If the path doen´t contain anything (just an empty string), the finishing *out = 0 may write behind the string! snipplet of working backup.c ------ static bool do_strip(int count, char *in) { ... *out++ = *in++; } *out = 0; ////////////// Dangerous if in == "" Dmsg4(500, "stripped=%d count=%d numsep=%d sep>count=%d\n", stripped, count, numsep, numsep>=count); return stripped==count && numsep>=count; } ====================================================================== Issue History Date Modified Username Field Change ====================================================================== 07-29-08 16:42 Sven New Issue ====================================================================== |