Blob Blame Raw
From 6842c7cff2542af8e1c693f3bc6c52b1b2e87caa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 24 Feb 2014 15:54:32 +0100
Subject: [PATCH] Prevent from grace period overflow in RPC transport
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The RPC transports grace time as unsigned int, but the value stored
there and retrivedd from is treated as singed difference against current time.

This leads to overflow after expiring the grace time which is
presented as an enourmously large grace time instead of "none" in the
quota(1) output.

There also possible an overflow when the time difference is still
bigger than an int can represent.

This first issue is solved by explicit type cast to/from int32_t, the
second issue is fixes by limiting the value into int32_t range.

<https://sourceforge.net/p/linuxquota/bugs/115/>

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 quotasys.c      | 13 +++++++++++++
 quotasys.h      |  4 ++++
 rquota_client.c |  9 +++++----
 rquota_server.c |  9 +++++----
 4 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/quotasys.c b/quotasys.c
index dee5118..b52c1d2 100644
--- a/quotasys.c
+++ b/quotasys.c
@@ -23,6 +23,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/vfs.h>
+#include <stdint.h>
 
 #include "pot.h"
 #include "bylabel.h"
@@ -323,6 +324,18 @@ void difftime2str(time_t seconds, char *buf)
 }
 
 /*
+ * Round difference of two time_t values into int32_t
+ */
+int32_t difftime2net(time_t later, time_t sooner)
+{
+	if ((later - sooner) > INT32_MAX)
+		return INT32_MAX;
+	if ((later - sooner) < INT32_MIN)
+		return INT32_MIN;
+	return (later - sooner);
+}
+
+/*
  * Convert time to printable form
  */
 void time2str(time_t seconds, char *buf, int flags)
diff --git a/quotasys.h b/quotasys.h
index 5ca26e6..7877cdd 100644
--- a/quotasys.h
+++ b/quotasys.h
@@ -8,6 +8,7 @@
 #define GUARD_QUOTASYS_H
 
 #include <sys/types.h>
+#include <inttypes.h>
 #include "mntopt.h"
 #include "quota.h"
 
@@ -100,6 +101,9 @@ int util2kernfmt(int fmt);
 /* Convert time difference between given time and current time to printable form */
 void difftime2str(time_t, char *);
 
+/* Round difference of two time_t values into int32_t */
+int32_t difftime2net(time_t later, time_t sooner);
+
 /* Convert time to printable form */
 void time2str(time_t, char *, int);
 
diff --git a/rquota_client.c b/rquota_client.c
index e26e066..00adae2 100644
--- a/rquota_client.c
+++ b/rquota_client.c
@@ -32,6 +32,7 @@
 #include <string.h>
 #include <signal.h>
 #include <time.h>
+#include <stdint.h>
 
 #include "mntopt.h"
 #include "rquota.h"
@@ -54,11 +55,11 @@ static inline void clinet2utildqblk(struct util_dqblk *u, struct rquota *n)
 	u->dqb_curspace = ((qsize_t)n->rq_curblocks) * n->rq_bsize;
 	time(&now);
 	if (n->rq_btimeleft)
-		u->dqb_btime = n->rq_btimeleft + now;
+		u->dqb_btime = (int32_t)n->rq_btimeleft + now;
 	else
 		u->dqb_btime = 0;
 	if (n->rq_ftimeleft)
-		u->dqb_itime = n->rq_ftimeleft + now;
+		u->dqb_itime = (int32_t)n->rq_ftimeleft + now;
 	else
 		u->dqb_itime = 0;
 }
@@ -76,11 +77,11 @@ static inline void cliutil2netdqblk(struct sq_dqblk *n, struct util_dqblk *u)
 	n->rq_curblocks = toqb(u->dqb_curspace);
 	n->rq_curfiles = u->dqb_curinodes;
 	if (u->dqb_btime)
-		n->rq_btimeleft = u->dqb_btime - now;
+		n->rq_btimeleft = difftime2net(u->dqb_btime, now);
 	else
 		n->rq_btimeleft = 0;
 	if (u->dqb_itime)
-		n->rq_ftimeleft = u->dqb_itime - now;
+		n->rq_ftimeleft = difftime2net(u->dqb_itime, now);
 	else
 		n->rq_ftimeleft = 0;
 }
diff --git a/rquota_server.c b/rquota_server.c
index bf66e4d..09cf6ed 100644
--- a/rquota_server.c
+++ b/rquota_server.c
@@ -25,6 +25,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <time.h>
+#include <stdint.h>
 
 #include "mntopt.h"
 #include "quotaops.h"
@@ -82,11 +83,11 @@ static inline void servnet2utildqblk(struct util_dqblk *u, sq_dqblk * n)
 	u->dqb_curspace = ((qsize_t)n->rq_curblocks) << RPC_DQBLK_SIZE_BITS;
 	u->dqb_curinodes = n->rq_curfiles;
 	if (n->rq_btimeleft)
-		u->dqb_btime = n->rq_btimeleft + now;
+		u->dqb_btime = (int32_t)n->rq_btimeleft + now;
 	else
 		u->dqb_btime = 0;
 	if (n->rq_ftimeleft)
-		u->dqb_itime = n->rq_ftimeleft + now;
+		u->dqb_itime = (int32_t)n->rq_ftimeleft + now;
 	else
 		u->dqb_itime = 0;
 }
@@ -127,11 +128,11 @@ static inline void servutil2netdqblk(struct rquota *n, struct util_dqblk *u)
 
 	time(&now);
 	if (u->dqb_btime)
-		n->rq_btimeleft = u->dqb_btime - now;
+		n->rq_btimeleft = difftime2net(u->dqb_btime, now);
 	else
 		n->rq_btimeleft = 0;
 	if (u->dqb_itime)
-		n->rq_ftimeleft = u->dqb_itime - now;
+		n->rq_ftimeleft = difftime2net(u->dqb_itime, now);
 	else
 		n->rq_ftimeleft = 0;
 }
-- 
1.8.5.3