From 69f0c7cf74a9af4c5a0a3ead2d608dd155e159ce Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Wed, 26 Sep 2018 10:36:25 +0800
Subject: glusterfs: fix CVE-2018-10911

Backport patch to fix the following CVE.

CVE: CVE-2018-10911

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
---
 ...-negative-key-value-length-while-unserial.patch | 39 ++++++++++++++++++++++
 recipes-extended/glusterfs/glusterfs.inc           |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch

diff --git a/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch b/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch
new file mode 100644
index 0000000..cb3400b
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0001-dict-handle-negative-key-value-length-while-unserial.patch
@@ -0,0 +1,39 @@
+From 428ee988df7d6cbe6e18becffcee5cdfb0fa9d17 Mon Sep 17 00:00:00 2001
+From: Amar Tumballi <amarts@redhat.com>
+Date: Tue, 24 Jul 2018 13:25:12 +0530
+Subject: [PATCH 1/7] dict: handle negative key/value length while unserialize
+
+Fixes: bz#1625089
+Change-Id: Ie56df0da46c242846a1ba51ccb9e011af118b119
+Signed-off-by: Amar Tumballi <amarts@redhat.com>
+
+Upstream-Status: Backport
+
+Fix CVE-2018-10911
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ libglusterfs/src/dict.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libglusterfs/src/dict.c b/libglusterfs/src/dict.c
+index 839b426..ac0a677 100644
+--- a/libglusterfs/src/dict.c
++++ b/libglusterfs/src/dict.c
+@@ -2751,6 +2751,13 @@ dict_unserialize (char *orig_buf, int32_t size, dict_t **fill)
+                 vallen = ntoh32 (hostord);
+                 buf += DICT_DATA_HDR_VAL_LEN;
+ 
++                if ((keylen < 0) || (vallen < 0)) {
++                        gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
++                                          LG_MSG_UNDERSIZED_BUF,
++                                          "undersized length passed "
++                                          "key:%d val:%d", keylen, vallen);
++                        goto out;
++                }
+                 if ((buf + keylen) > (orig_buf + size)) {
+                         gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
+                                           LG_MSG_UNDERSIZED_BUF,
+-- 
+2.7.4
+
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index ab63a9a..ea5f2b7 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -23,6 +23,7 @@ SRC_URI += "file://glusterd.init \
             file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
             file://0002-server-auth-add-option-for-strict-authentication.patch \
             file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \
+            file://0001-dict-handle-negative-key-value-length-while-unserial.patch \
            "
 
 LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
-- 
cgit v1.2.3-54-g00ecf