Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/dkwedge Fix buffer overflow. Triggerable by plugging...
details: https://anonhg.NetBSD.org/src/rev/4cef3d88e792
branches: trunk
changeset: 457378:4cef3d88e792
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Jun 22 06:45:46 2019 +0000
description:
Fix buffer overflow. Triggerable by plugging a specially-crafted USB key
in the machine (the kernel automatically tries to parse its GPT header).
The check could maybe be appeased to allow bigger sizes, but we've never
done that, so I'm leaving it as-is.
diffstat:
sys/dev/dkwedge/dkwedge_gpt.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diffs (27 lines):
diff -r 04456df19799 -r 4cef3d88e792 sys/dev/dkwedge/dkwedge_gpt.c
--- a/sys/dev/dkwedge/dkwedge_gpt.c Sat Jun 22 04:45:04 2019 +0000
+++ b/sys/dev/dkwedge/dkwedge_gpt.c Sat Jun 22 06:45:46 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $ */
+/* $NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $ */
/*-
* Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -175,7 +175,7 @@
entries = le32toh(hdr->hdr_entries);
entsz = roundup(le32toh(hdr->hdr_entsz), 8);
- if (entsz > roundup(sizeof(struct gpt_ent), 8)) {
+ if (entsz != sizeof(struct gpt_ent)) {
aprint_error("%s: bogus GPT entry size: %u\n",
pdk->dk_name, le32toh(hdr->hdr_entsz));
error = EINVAL;
Home |
Main Index |
Thread Index |
Old Index