if written_length is read from a partial written bucket it may be to big and xmalloc will panic barebox.
Check if the value is sane. Make read_len unsigned to avoid negative values. Signed-off-by: Jan Remmet <[email protected]> --- v2: replace compare < 0 by making read_len unsigned common/state/backend_bucket_direct.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/common/state/backend_bucket_direct.c b/common/state/backend_bucket_direct.c index 95ddb9310685..0dbd334db821 100644 --- a/common/state/backend_bucket_direct.c +++ b/common/state/backend_bucket_direct.c @@ -52,7 +52,7 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket struct state_backend_storage_bucket_direct *direct = get_bucket_direct(bucket); struct state_backend_storage_bucket_direct_meta meta; - ssize_t read_len; + uint32_t read_len; void *buf; int ret; @@ -67,6 +67,11 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket } if (meta.magic == direct_magic) { read_len = meta.written_length; + if (read_len > direct->max_size) { + dev_err(direct->dev, "Wrong length in meta data\n"); + return -EINVAL; + + } } else { if (meta.magic != ~0 && !!meta.magic) bucket->wrong_magic = 1; -- 2.7.4 _______________________________________________ barebox mailing list [email protected] http://lists.infradead.org/mailman/listinfo/barebox
