diff options
author | Sebastian Krahmer | 2014-12-05 10:06:42 +0100 |
---|---|---|
committer | Karel Zak | 2014-12-05 11:37:05 +0100 |
commit | 109df14fad4e9570e26950913ebace6c79289400 (patch) | |
tree | cca9a9f7fac162b3319821e56940ddf7b59925c7 /libblkid/src/probe.c | |
parent | libfdisk: fix bug in cmp_numbers() and partitions sorting (diff) | |
download | kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.tar.gz kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.tar.xz kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.zip |
libblkid: fix potential bufer overflows
While digging deeper into libblk probing, I found that some
computations might wrap and allocate too few buffer space which then
overflows. In particular on 32bit systems (chromebook) where size_t is
32bit, this is problematic (for 64bit the result fits into the calloc
size_t).
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'libblkid/src/probe.c')
-rw-r--r-- | libblkid/src/probe.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c index 3f7e43bec..70e882ac9 100644 --- a/libblkid/src/probe.c +++ b/libblkid/src/probe.c @@ -103,6 +103,7 @@ #include <inttypes.h> #include <stdint.h> #include <stdarg.h> +#include <limits.h> #ifdef HAVE_LIBUUID # include <uuid.h> @@ -578,6 +579,12 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, return NULL; } + /* someone trying to overflow some buffers? */ + if (len > ULONG_MAX - sizeof(struct blkid_bufinfo)) { + errno = ENOMEM; + return NULL; + } + /* allocate info and space for data by why call */ bf = calloc(1, sizeof(struct blkid_bufinfo) + len); if (!bf) { |