On Mon, Jun 20, 2016 at 07:09:10AM +0200, Torsten Hilbrich wrote:
> libblkid/src/superblocks/nilfs.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/libblkid/src/superblocks/nilfs.c b/libblkid/src/superblocks/nilfs.c
> index d12472c..fbafb8d 100644
> --- a/libblkid/src/superblocks/nilfs.c
> +++ b/libblkid/src/superblocks/nilfs.c
> @@ -72,6 +72,7 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
> static unsigned char sum[4];
> const int sumoff = offsetof(struct nilfs_super_block, s_sum);
> size_t bytes;
> + const size_t crc_start = sumoff + 4;
> uint32_t crc;
>
> if (!sb || le16_to_cpu(sb->s_magic) != NILFS_SB_MAGIC)
> @@ -82,9 +83,15 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
> return 0;
>
> bytes = le16_to_cpu(sb->s_bytes);
> + /* ensure that no underrun can happen in the length parameter
> + * of the crc32 call or more data are processed than read into
> + * sb */
> + if (bytes < crc_start || bytes > sizeof(struct nilfs_super_block))
> + return -1;
I guess that -1 is not expected return code there; nilfs_valid_sb() is
used as boolean, see probe_nilfs2(). Fixed (replaced with zero).
Applied, thanks!
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
