diff options
| author | Sebastian Krahmer | 2014-12-05 10:06:42 +0100 |
|---|---|---|
| committer | Karel Zak | 2014-12-05 11:37:05 +0100 |
| commit | 109df14fad4e9570e26950913ebace6c79289400 (patch) | |
| tree | cca9a9f7fac162b3319821e56940ddf7b59925c7 /libblkid/src/superblocks/zfs.c | |
| parent | libfdisk: fix bug in cmp_numbers() and partitions sorting (diff) | |
| download | kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.tar.gz kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.tar.xz kernel-qcow2-util-linux-109df14fad4e9570e26950913ebace6c79289400.zip | |
libblkid: fix potential bufer overflows
While digging deeper into libblk probing, I found that some
computations might wrap and allocate too few buffer space which then
overflows. In particular on 32bit systems (chromebook) where size_t is
32bit, this is problematic (for 64bit the result fits into the calloc
size_t).
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'libblkid/src/superblocks/zfs.c')
| -rw-r--r-- | libblkid/src/superblocks/zfs.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c index 6ffa24d69..86da59d4a 100644 --- a/libblkid/src/superblocks/zfs.c +++ b/libblkid/src/superblocks/zfs.c @@ -12,6 +12,7 @@ #include <errno.h> #include <ctype.h> #include <inttypes.h> +#include <limits.h> #include "superblocks.h" @@ -108,6 +109,8 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) nvs->nvs_type = be32_to_cpu(nvs->nvs_type); nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); + if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) + break; avail -= nvs->nvs_strlen + sizeof(*nvs); nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type, nvs->nvs_strlen, nvs->nvs_string); |