From: Guillem Jover <guillem@hadrons.org>
Date: Sat, 15 Jun 2019 12:33:32 +0000 (+0200)
Subject: nlist: Check whether sh_link is within bounds
X-Git-Tag: 0.10.0~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=24d1f4dd34cd86759673f736c16e671a6303f8a8;p=thirdparty%2Flibbsd.git

nlist: Check whether sh_link is within bounds

The sh_link members should be >= e_shnum, otherwise we might do out of
bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>
---

diff --git a/src/nlist.c b/src/nlist.c
index 2aa2eee..e2a7949 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -172,6 +172,9 @@ __fdnlist(int fd, struct nlist *list)
 	 */
 	for (i = 0; i < ehdr.e_shnum; i++) {
 		if (shdr[i].sh_type == SHT_SYMTAB) {
+			if (shdr[i].sh_link >= ehdr.e_shnum)
+				goto done;
+
 			symoff = shdr[i].sh_offset;
 			symsize = shdr[i].sh_size;
 			symstroff = shdr[shdr[i].sh_link].sh_offset;