* grub-core/fs/zfs/zfs.c (nvlist_next_nvpair): Error is encode_size

	<= 0.

diff --git a/ChangeLog b/ChangeLog
index 25bd9d4296ef6576addaa82c29cd83043fb25a24..3195b2cd405e874a87e7d5b2899e97e9352800e0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-07-14  Massimo Maggi <me@massimo-maggi.eu>
+
+       * grub-core/fs/zfs/zfs.c (nvlist_next_nvpair): Error is encode_size
+       <= 0.
+
 2013-07-14  Massimo Maggi <me@massimo-maggi.eu>
 
        * grub-core/fs/zfs/zfs.c: Split nvpair iterators into separate

diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index 0ef936287fca3f638e87db7c19f1af32e0d22977..c4cd9b270144e7d4838f2d2fea2adc83dbae417e 100644 (file)
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -827,6 +827,16 @@ nvlist_next_nvpair(const char *nvl, const char *nvpair)
                /* skip to the next nvpair */
                encode_size = grub_be_to_cpu32 (grub_get_unaligned32(nvpair));
                nvpair += encode_size;
+    /*If encode_size equals 0 nvlist_next_nvpair would return
+    * the same pair received in input, leading to an infinite loop.
+    * If encode_size is less than 0, this will move the pointer
+    * backwards, *possibly* examinining two times the same nvpair
+    * and potentially getting into an infinite loop. */
+               if(encode_size <= 0) {
+                 grub_dprintf ("zfs", "nvpair with size <= 0\n");
+                 grub_error (GRUB_ERR_BAD_FS, "incorrect nvlist");
+                 return NULL;
+               }
        }
        /* 8 bytes of 0 marks the end of the list */
        if (*(grub_uint64_t*)nvpair == 0)