DDF: validate metadata_update size before using it.
process_update already checks update->len, for all but the 'magic', prepare_update doesn't at all. So add tests to prepare_update that we don't exceed the buffer. This will consequently protect process_update from looking for a 'magic' which isn't there. Reported-by: Vincent Berg <vberg@ioactive.com> Signed-off-by: NeilBrown <neilb@suse.de>
This commit is contained in:
parent
5fe6f031d9
commit
1f17f96b53
10
super-ddf.c
10
super-ddf.c
|
@ -4914,10 +4914,16 @@ static int ddf_prepare_update(struct supertype *st,
|
||||||
* If a malloc is needed, do it here.
|
* If a malloc is needed, do it here.
|
||||||
*/
|
*/
|
||||||
struct ddf_super *ddf = st->sb;
|
struct ddf_super *ddf = st->sb;
|
||||||
be32 *magic = (be32 *)update->buf;
|
be32 *magic;
|
||||||
|
if (update->len < 4)
|
||||||
|
return 0;
|
||||||
|
magic = (be32 *)update->buf;
|
||||||
if (be32_eq(*magic, DDF_VD_CONF_MAGIC)) {
|
if (be32_eq(*magic, DDF_VD_CONF_MAGIC)) {
|
||||||
struct vcl *vcl;
|
struct vcl *vcl;
|
||||||
struct vd_config *conf = (struct vd_config *) update->buf;
|
struct vd_config *conf;
|
||||||
|
if (update->len < (int)sizeof(*conf))
|
||||||
|
return 0;
|
||||||
|
conf = (struct vd_config *) update->buf;
|
||||||
if (posix_memalign(&update->space, 512,
|
if (posix_memalign(&update->space, 512,
|
||||||
offsetof(struct vcl, conf)
|
offsetof(struct vcl, conf)
|
||||||
+ ddf->conf_rec_len * 512) != 0) {
|
+ ddf->conf_rec_len * 512) != 0) {
|
||||||
|
|
Loading…
Reference in New Issue