[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[dmidecode] [PATCH] dmidecode: Sanity check the table offset in dump fil
|
From: |
Jean Delvare |
|
Subject: |
[dmidecode] [PATCH] dmidecode: Sanity check the table offset in dump files |
|
Date: |
Tue, 11 Sep 2018 11:47:02 +0200 |
If the offset (base) is beyond the end of the file (statbuf.st_size),
the computations will lead to an integer overflow. As it doesn't make
sense in the first place, check for this condition and fail
immediately.
This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.
Signed-off-by: Jean Delvare <address@hidden>
Fixes: bd78a5dfd470 ("dmidecode: Don't allocate more memory than needed")
---
util.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- dmidecode.orig/util.c 2018-08-09 09:34:24.535059494 +0200
+++ dmidecode/util.c 2018-09-11 11:23:52.790702462 +0200
@@ -117,7 +117,14 @@ void *read_file(off_t base, size_t *max_
*/
if (fstat(fd, &statbuf) == 0)
{
- if (base + (off_t)*max_len > statbuf.st_size)
+ if (base >= statbuf.st_size)
+ {
+ fprintf(stderr, "%s: Can't read data beyond EOF\n",
+ filename);
+ p = NULL;
+ goto out;
+ }
+ if (*max_len > (size_t)statbuf.st_size - base)
*max_len = statbuf.st_size - base;
}
--
Jean Delvare
SUSE L3 Support
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [dmidecode] [PATCH] dmidecode: Sanity check the table offset in dump files,
Jean Delvare <=