gelf_getnote: Check padding overflow.

Since ELF notes need to be properly aligned they can include padding.
Make sure the padding itself and the padding calculation doesn't overflow.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 488609392951f9521c6f9ec12ed4775a2926ce4a..beb431fda8f8ef6cf6dab3f0c2e9f62274ad599a 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-16  Mark Wielaard  <mjw@redhat.com>
+
+       * gelf_getnote.c (gelf_getnote): Check padding overflow.
+
 2014-11-16  Mark Wielaard  <mjw@redhat.com>
 
        * elf_getdata.c (__libelf_set_rawdata_wrlock): Declare offset, size

diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 8bb78c166f0abf0ec4903fe596d7a4435429f812..7dc8215674e5844c93276cffddd6f0449d60fdb7 100644 (file)
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -73,16 +73,21 @@ gelf_getnote (data, offset, result, name_offset, desc_offset)
       const GElf_Nhdr *n = data->d_buf + offset;
       offset += sizeof *n;
 
+      /* Include padding.  Check below for overflow.  */
       GElf_Word namesz = NOTE_ALIGN (n->n_namesz);
       GElf_Word descsz = NOTE_ALIGN (n->n_descsz);
 
-      if (unlikely (data->d_size - offset < namesz))
+      if (unlikely (offset > data->d_size
+                   || data->d_size - offset < namesz
+                   || (namesz == 0 && n->n_namesz != 0)))
        offset = 0;
       else
        {
          *name_offset = offset;
          offset += namesz;
-         if (unlikely (data->d_size - offset < descsz))
+         if (unlikely (offset > data->d_size
+                       || data->d_size - offset < descsz
+                       || (descsz == 0 && n->n_descsz != 0)))
            offset = 0;
          else
            {