From 65b1f3deed1e737fd4f3c80815200c38f2409fdc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Tue, 15 Aug 2023 21:25:44 +0200 Subject: [PATCH] libblkid: limit read buffer size MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Many probers read data from disk bounded by some field from the probed disk itself. The probers should validate the read length before using. Add a fallback that kicks in when the proper does not check the length epxlicitly. See #2427 Signed-off-by: Thomas Weißschuh --- libblkid/src/probe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c index fdad0c2661..b05c5b58b6 100644 --- a/libblkid/src/probe.c +++ b/libblkid/src/probe.c @@ -688,6 +688,11 @@ const unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64 return NULL; } + if (len > 8388608 /* 8 Mib */ ) { + DBG(BUFFER, ul_debug("\t too large read request (ignore)")); + return NULL; + } + if (len == 0 || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len)) || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) { -- 2.47.3