[PATCH 15/21] dm: Additional data_size/data_start checks

Eugene Syromyatnikov <evgsyr@xxxxxxxxx> · Sun, 9 Oct 2016 16:31:02 +0300

---
 dm.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/dm.c b/dm.c
index 814d7d2..289bc0d 100644
--- a/dm.c
+++ b/dm.c
@@ -293,7 +293,8 @@ dm_known_ioctl(struct tcb *tcp, const unsigned int code, long arg)
 	if (!ioc)
 		return 0;
 
-	if (umoven(tcp, arg, sizeof(*ioc) - sizeof(ioc->data), ioc) < 0) {
+	if ((umoven(tcp, arg, sizeof(*ioc) - sizeof(ioc->data), ioc) < 0) ||
+	    (ioc->data_size < offsetof(struct dm_ioctl, data_size))) {
 		free(ioc);
 		return 0;
 	}
@@ -335,6 +336,11 @@ dm_known_ioctl(struct tcb *tcp, const unsigned int code, long arg)
 		goto skip;
 	}
 
+	if (ioc->data_size < (sizeof(*ioc) - sizeof(ioc->data))) {
+		tprints(", /* Incorrect data_size */ ...");
+		goto skip;
+	}
+
 	dm_decode_device(code, ioc);
 	dm_decode_values(tcp, code, ioc);
 	dm_decode_flags(ioc);
-- 
1.7.10.4

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel






