From 6a8a06c0728cfc0c323ff6083134413d59617a5b Mon Sep 17 00:00:00 2001 From: loli10K Date: Tue, 9 Jul 2019 00:10:23 +0200 Subject: [PATCH] zfs send does not handle invalid input gracefully MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Due to some changes introduced in 30af21b 'zfs send' can crash when provided with invalid inputs: this change attempts to add more checks to the affected code paths. Reviewed-by: Attila Fülöp Reviewed-by: Brian Behlendorf Reviewed-by: Tony Hutter Signed-off-by: loli10K Closes #9001 --- cmd/zfs/zfs_main.c | 6 +++++- lib/libzfs/libzfs_sendrecv.c | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/zfs/zfs_main.c b/cmd/zfs/zfs_main.c index d9709ae62913..0ebd16f6d6a5 100644 --- a/cmd/zfs/zfs_main.c +++ b/cmd/zfs/zfs_main.c @@ -4338,7 +4338,11 @@ zfs_do_send(int argc, char **argv) return (1); } - cp = strchr(argv[0], '@'); + if ((cp = strchr(argv[0], '@')) == NULL) { + (void) fprintf(stderr, gettext("Error: " + "Unsupported flag with filesystem or bookmark.\n")); + return (1); + } *cp = '\0'; toname = cp + 1; zhp = zfs_open(g_zfs, argv[0], ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME); diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c index 885f263bf0d9..9fdb990522d9 100644 --- a/lib/libzfs/libzfs_sendrecv.c +++ b/lib/libzfs/libzfs_sendrecv.c @@ -2422,6 +2422,10 @@ zfs_send(zfs_handle_t *zhp, const char *fromsnap, const char *tosnap, } zfs_handle_t *tosnap = zfs_open(zhp->zfs_hdl, full_tosnap_name, ZFS_TYPE_SNAPSHOT); + if (tosnap == NULL) { + err = -1; + goto err_out; + } err = send_prelim_records(tosnap, fromsnap, outfd, flags->replicate || flags->props || flags->holds, flags->replicate, flags->verbosity > 0, flags->dryrun, @@ -2707,6 +2711,8 @@ zfs_send_one(zfs_handle_t *zhp, const char *from, int fd, sendflags_t *flags, if (from != NULL && strchr(from, '@')) { zfs_handle_t *from_zhp = zfs_open(hdl, from, ZFS_TYPE_DATASET); + if (from_zhp == NULL) + return (-1); if (!snapshot_is_before(from_zhp, zhp)) { zfs_close(from_zhp); zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,