From ebd2fdc1564bc9c65241239f4c6df71879b2b935 Mon Sep 17 00:00:00 2001 From: Huo Linhe Date: Wed, 23 Jun 2021 14:44:11 +0800 Subject: [PATCH 1/5] [TD-4872]: fix buffer overflow in -O3 build --- src/tfs/src/tfs.c | 4 +++- src/util/src/tconfig.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tfs/src/tfs.c b/src/tfs/src/tfs.c index f78535b8ed..9dc68dcdfd 100644 --- a/src/tfs/src/tfs.c +++ b/src/tfs/src/tfs.c @@ -480,11 +480,13 @@ static int tfsFormatDir(char *idir, char *odir) { return -1; } - if (realpath(wep.we_wordv[0], odir) == NULL) { + char tmp[PATH_MAX] = {0}; + if (realpath(wep.we_wordv[0], tmp) == NULL) { terrno = TAOS_SYSTEM_ERROR(errno); wordfree(&wep); return -1; } + strcpy(odir, tmp); wordfree(&wep); return 0; diff --git a/src/util/src/tconfig.c b/src/util/src/tconfig.c index c4bd577602..442e83bb4f 100644 --- a/src/util/src/tconfig.c +++ b/src/util/src/tconfig.c @@ -151,7 +151,7 @@ static bool taosReadDirectoryConfig(SGlobalCfg *cfg, char *input_value) { wordfree(&full_path); - char tmp[1025] = {0}; + char tmp[PATH_MAX] = {0}; if (realpath(option, tmp) != NULL) { strcpy(option, tmp); } From ff492acbbfb620d2199aaa44f5646fc90d715e92 Mon Sep 17 00:00:00 2001 From: Huo Linhe Date: Thu, 24 Jun 2021 11:36:41 +0800 Subject: [PATCH 2/5] [TD-4872]: fix tasodemo buffer overflow with -O3 --- src/kit/taosdemo/taosdemo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/kit/taosdemo/taosdemo.c b/src/kit/taosdemo/taosdemo.c index 33ee2a9bc2..1bb057aa67 100644 --- a/src/kit/taosdemo/taosdemo.c +++ b/src/kit/taosdemo/taosdemo.c @@ -5103,7 +5103,7 @@ static int32_t generateStbDataTail( } else { retLen = getRowDataFromSample( data, - remainderBufLen, + remainderBufLen < MAX_DATA_SIZE ? remainderBufLen : MAX_DATA_SIZE, startTime + superTblInfo->timeStampStep * k, superTblInfo, pSamplePos); From a9c1f6bc73a76fa32d865ad22984198526f57223 Mon Sep 17 00:00:00 2001 From: Huo Linhe Date: Thu, 24 Jun 2021 12:40:40 +0800 Subject: [PATCH 3/5] [TD-4872]: fix tasodump buffer overflow with -O3 --- src/kit/taosdump/taosdump.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/kit/taosdump/taosdump.c b/src/kit/taosdump/taosdump.c index 165bbdf990..05c6b1efbb 100644 --- a/src/kit/taosdump/taosdump.c +++ b/src/kit/taosdump/taosdump.c @@ -29,6 +29,9 @@ #define COMMAND_SIZE 65536 //#define DEFAULT_DUMP_FILE "taosdump.sql" +// for strncpy buffer overflow +#define min(a, b) (((a) < (b)) ? (a) : (b)) + int converStringToReadable(char *str, int size, char *buf, int bufsize); int convertNCharToReadable(char *str, int size, char *buf, int bufsize); void taosDumpCharset(FILE *fp); @@ -1119,12 +1122,11 @@ int taosGetTableDes( TAOS_FIELD *fields = taos_fetch_fields(res); tstrncpy(tableDes->name, table, TSDB_TABLE_NAME_LEN); - while ((row = taos_fetch_row(res)) != NULL) { strncpy(tableDes->cols[count].field, (char *)row[TSDB_DESCRIBE_METRIC_FIELD_INDEX], fields[TSDB_DESCRIBE_METRIC_FIELD_INDEX].bytes); strncpy(tableDes->cols[count].type, (char *)row[TSDB_DESCRIBE_METRIC_TYPE_INDEX], - fields[TSDB_DESCRIBE_METRIC_TYPE_INDEX].bytes); + min(16, fields[TSDB_DESCRIBE_METRIC_TYPE_INDEX].bytes)); tableDes->cols[count].length = *((int *)row[TSDB_DESCRIBE_METRIC_LENGTH_INDEX]); strncpy(tableDes->cols[count].note, (char *)row[TSDB_DESCRIBE_METRIC_NOTE_INDEX], fields[TSDB_DESCRIBE_METRIC_NOTE_INDEX].bytes); @@ -1575,7 +1577,7 @@ int taosDumpDb(SDbInfo *dbInfo, struct arguments *arguments, FILE *fp, TAOS *tao tstrncpy(tableRecord.name, (char *)row[TSDB_SHOW_TABLES_NAME_INDEX], fields[TSDB_SHOW_TABLES_NAME_INDEX].bytes); tstrncpy(tableRecord.metric, (char *)row[TSDB_SHOW_TABLES_METRIC_INDEX], - fields[TSDB_SHOW_TABLES_METRIC_INDEX].bytes); + min(TSDB_TABLE_NAME_LEN, fields[TSDB_SHOW_TABLES_METRIC_INDEX].bytes)); taosWrite(fd, &tableRecord, sizeof(STableRecord)); From 8932d665299db36ba7ddcbf73a90f7cdca7a1640 Mon Sep 17 00:00:00 2001 From: tickduan <417921451@qq.com> Date: Thu, 24 Jun 2021 15:52:27 +0800 Subject: [PATCH 4/5] fix cqCfg.db length is small bug --- src/inc/tcq.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/inc/tcq.h b/src/inc/tcq.h index 7549c3d498..c7eeaca2cc 100644 --- a/src/inc/tcq.h +++ b/src/inc/tcq.h @@ -27,7 +27,7 @@ typedef struct { int32_t vgId; char user[TSDB_USER_LEN]; char pass[TSDB_KEY_LEN]; - char db[TSDB_DB_NAME_LEN]; + char db[TSDB_ACCT_ID_LEN + TSDB_DB_NAME_LEN]; FCqWrite cqWrite; } SCqCfg; @@ -38,7 +38,7 @@ typedef struct { int32_t num; // number of continuous streams char user[TSDB_USER_LEN]; char pass[TSDB_KEY_LEN]; - char db[TSDB_DB_NAME_LEN]; + char db[TSDB_ACCT_ID_LEN + TSDB_DB_NAME_LEN]; FCqWrite cqWrite; struct SCqObj *pHead; void *dbConn; From 943d69ea80fab197e33224ddef94b93bf5d00ef5 Mon Sep 17 00:00:00 2001 From: tickduan <417921451@qq.com> Date: Fri, 25 Jun 2021 15:11:29 +0800 Subject: [PATCH 5/5] restore CqContext db name length --- src/inc/tcq.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/inc/tcq.h b/src/inc/tcq.h index c7eeaca2cc..27c043f960 100644 --- a/src/inc/tcq.h +++ b/src/inc/tcq.h @@ -38,7 +38,7 @@ typedef struct { int32_t num; // number of continuous streams char user[TSDB_USER_LEN]; char pass[TSDB_KEY_LEN]; - char db[TSDB_ACCT_ID_LEN + TSDB_DB_NAME_LEN]; + char db[TSDB_DB_NAME_LEN]; FCqWrite cqWrite; struct SCqObj *pHead; void *dbConn;