libkmod: Check child range in memory mapped index

If value of "first" is negative, then a broken index can trigger a stack
based buffer overflow, because child_count could become larger than
INDEX_CHILDMAX.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Link: https://github.com/kmod-project/kmod/pull/167
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>

diff --git a/libkmod/libkmod-index.c b/libkmod/libkmod-index.c
index 0c64740da7e71d9409771328f5b0c7d098cac118..e1808622934e4bff859ac78ab7e93aa02097a890 100644 (file)
--- a/libkmod/libkmod-index.c
+++ b/libkmod/libkmod-index.c
@@ -699,7 +699,7 @@ static struct index_mm_node *index_mm_read_node(struct index_mm *idx, uint32_t o
                first = read_char_mm(&p);
                last = read_char_mm(&p);
 
-               if (first > last)
+               if (first > last || first < 0 || last < 0)
                        return NULL;
 
                child_count = last - first + 1;