The length of the data must fit into the remaining available space until the
next copy of the data.
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
---
common/state.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/common/state.c b/common/state.c
index 8f6d14c98255..4a1e935a3b86 100644
--- a/common/state.c
+++ b/common/state.c
@@ -1053,14 +1053,18 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
uint32_t crc;
struct state_variable *sv;
struct backend_raw_header header = {};
+ unsigned long max_len;
int ret;
void *buf;
+ max_len = backend_raw->stride;
+
ret = lseek(fd, offset, SEEK_SET);
if (ret < 0)
return ret;
ret = read_full(fd, &header, sizeof(header));
+ max_len -= sizeof(header);
if (ret < 0)
return ret;
@@ -1079,6 +1083,13 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
return -EINVAL;
}
+ if (header.data_len > max_len) {
+ dev_err(&state->dev,
+ "invalid data_len %u in header, max is %lu\n",
+ header.data_len, max_len);
+ return -EINVAL;
+ }
+
buf = xzalloc(header.data_len);
ret = read_full(fd, buf, header.data_len);
--
2.1.4
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
