if written_length is read from a partial written bucket it may be to
big and xmalloc will panic barebox.
Check if the value is sane. Make read_len unsigned to avoid negative
values.
Signed-off-by: Jan Remmet <j.remmet@xxxxxxxxx>
---
v2: replace compare < 0 by making read_len unsigned
common/state/backend_bucket_direct.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/common/state/backend_bucket_direct.c b/common/state/backend_bucket_direct.c
index 95ddb9310685..0dbd334db821 100644
--- a/common/state/backend_bucket_direct.c
+++ b/common/state/backend_bucket_direct.c
@@ -52,7 +52,7 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket
struct state_backend_storage_bucket_direct *direct =
get_bucket_direct(bucket);
struct state_backend_storage_bucket_direct_meta meta;
- ssize_t read_len;
+ uint32_t read_len;
void *buf;
int ret;
@@ -67,6 +67,11 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket
}
if (meta.magic == direct_magic) {
read_len = meta.written_length;
+ if (read_len > direct->max_size) {
+ dev_err(direct->dev, "Wrong length in meta data\n");
+ return -EINVAL;
+
+ }
} else {
if (meta.magic != ~0 && !!meta.magic)
bucket->wrong_magic = 1;
--
2.7.4
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
