zfs send does not handle invalid input gracefully

[loli10K]

Motivation and Context

On master zfs send can crash when provided with invalid inputs:

root@linux:/usr/src/zfs# zfs send -R $POOLNAME/fs3 > /dev/null
Segmentation fault (core dumped)
root@linux:/usr/src/zfs# gdb -q zfs /var/crash/zfs.30818
Reading symbols from zfs...done.
[New LWP 30818]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `zfs send -R testpool/fs3'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00005557b743c545 in zfs_do_send (argc=1, argv=0x5557b8083f08) at zfs_main.c:4340
4340		*cp = '\0';
(gdb) bt
#0  0x00005557b743c545 in zfs_do_send (argc=1, argv=0x5557b8083f08) at zfs_main.c:4340
#1  0x00005557b74347a8 in main (argc=4, argv=<optimized out>) at zfs_main.c:8260
(gdb) list 
4335			    "cannot be sent redacted.\n"));
4336			return (1);
4337		}
4338	
4339		cp = strchr(argv[0], '@');
4340		*cp = '\0';
4341		toname = cp + 1;
4342		zhp = zfs_open(g_zfs, argv[0], ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
4343		if (zhp == NULL)
4344			return (1);
(gdb) p cp
$1 = 0x0
(gdb) p argv[0]
$2 = 0x5557b8083c60 "testpool/fs3"
(gdb) 

Description

This change attempts to add more checks to the affected code paths.

How Has This Been Tested?

Run "zfs_send" test group on a local builder.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[AttilaFueloep]

By coincidence I came up with nearly the same patch yesterday with just two differences

[AttilaFueloep]

err = EZFS_BADPATH;

[loli10K]

err = EZFS_BADPATH;

This is not necessarily true, zfs_open() can fail for many different reasons, not just invalid input.

[AttilaFueloep]

Thats right. IRC this was how the old code handled it. Would have to look again to be sure though. Nonetheless I'm fine either way.

[AttilaFueloep]

return (EZFS_NOENT);

[codecov]

Codecov Report

Merging #9001 into master will decrease coverage by 0.03%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #9001      +/-   ##
==========================================
- Coverage   78.62%   78.59%   -0.04%     
==========================================
  Files         388      388              
  Lines      119992   119997       +5     
==========================================
- Hits        94349    94307      -42     
- Misses      25643    25690      +47

Flag	Coverage Δ
#kernel	79.44% <ø> (ø)	⬆️
#user	66.29% <100%> (+0.11%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1086f54...7feb7ac. Read the comment docs.

[AttilaFueloep]

As a side note, maybe we should add a regression test like so AttilaFueloep@d400ce1 ?

[behlendorf]

Looks good. I'd be OK with extending the test cases, but I don't think it's strictly necessarily since if #9003 has been applied the CI would have caught this prior to merging the feature.