From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 30 Sep 2024 17:20:33 +0000 (+0200)
Subject: libkmod: Check child range in memory mapped index
X-Git-Tag: v34~268
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=824d4d07a421a35936d388f9bad4d583610f0ba4;p=thirdparty%2Fkmod.git

libkmod: Check child range in memory mapped index

If value of "first" is negative, then a broken index can trigger a stack
based buffer overflow, because child_count could become larger than
INDEX_CHILDMAX.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Link: https://github.com/kmod-project/kmod/pull/167
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/libkmod/libkmod-index.c b/libkmod/libkmod-index.c
index 0c64740d..e1808622 100644
--- a/libkmod/libkmod-index.c
+++ b/libkmod/libkmod-index.c
@@ -699,7 +699,7 @@ static struct index_mm_node *index_mm_read_node(struct index_mm *idx, uint32_t o
 		first = read_char_mm(&p);
 		last = read_char_mm(&p);
 
-		if (first > last)
+		if (first > last || first < 0 || last < 0)
 			return NULL;
 
 		child_count = last - first + 1;