liblkid: Add length check in probe_nilfs2 before crc32

author Torsten Hilbrich <torsten.hilbrich@secunet.com>

Mon, 20 Jun 2016 05:09:10 +0000 (07:09 +0200)

committer Karel Zak <kzak@redhat.com>

Wed, 10 Aug 2016 10:59:41 +0000 (12:59 +0200)
author Torsten Hilbrich <torsten.hilbrich@secunet.com>
Mon, 20 Jun 2016 05:09:10 +0000 (07:09 +0200)
committer Karel Zak <kzak@redhat.com>
Wed, 10 Aug 2016 10:59:41 +0000 (12:59 +0200)
diff --git a/libblkid/src/superblocks/nilfs.c b/libblkid/src/superblocks/nilfs.c

index d12472c7ecf4252c73f8caa69902f53a8246d1dd..cd93d7bc5bfbd313145e70dcc5914e8376133a9e 100644 (file)
--- a/libblkid/src/superblocks/nilfs.c
+++ b/libblkid/src/superblocks/nilfs.c
@@ -72,6 +72,7 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
         static unsigned char sum[4];
         const int sumoff = offsetof(struct nilfs_super_block, s_sum);
         size_t bytes;
+       const size_t crc_start = sumoff + 4;
         uint32_t crc;
  
         if (!sb || le16_to_cpu(sb->s_magic) != NILFS_SB_MAGIC)
@@ -82,9 +83,15 @@ static int nilfs_valid_sb(blkid_probe pr, struct nilfs_super_block *sb, int is_b
                 return 0;
  
         bytes = le16_to_cpu(sb->s_bytes);
+       /* ensure that no underrun can happen in the length parameter
+        * of the crc32 call or more data are processed than read into
+        * sb */
+       if (bytes < crc_start || bytes > sizeof(struct nilfs_super_block))
+               return 0;
+
         crc = crc32(le32_to_cpu(sb->s_crc_seed), (unsigned char *)sb, sumoff);
         crc = crc32(crc, sum, 4);
-       crc = crc32(crc, (unsigned char *)sb + sumoff + 4, bytes - sumoff - 4);
+       crc = crc32(crc, (unsigned char *)sb + crc_start, bytes - crc_start);
  
         return blkid_probe_verify_csum(pr, crc, le32_to_cpu(sb->s_sum));
  }
author	Torsten Hilbrich <torsten.hilbrich@secunet.com>
	Mon, 20 Jun 2016 05:09:10 +0000 (07:09 +0200)
committer	Karel Zak <kzak@redhat.com>
	Wed, 10 Aug 2016 10:59:41 +0000 (12:59 +0200)