Check that the filename in the LAR does neither overrun the
archive nor exceed MAX_PATHLEN.
Needs a generic max() function to compile. Where do we want
that function?
Signed-off-by: Carl-Daniel Hailfinger <[EMAIL PROTECTED]>
Index: corebootv3-lar_overrun_prevention/lib/lar.c
===================================================================
--- corebootv3-lar_overrun_prevention/lib/lar.c (Revision 785)
+++ corebootv3-lar_overrun_prevention/lib/lar.c (Arbeitskopie)
@@ -69,6 +69,7 @@
{
char *walk, *fullname;
struct lar_header *header;
+ int headroom;
printk(BIOS_INFO, "LAR: Attempting to open '%s'.\n", filename);
printk(BIOS_SPEW, "LAR: Start %p len 0x%x\n", archive->start,
@@ -123,7 +124,11 @@
printk(BIOS_SPEW, "LAR: seen member %s\n", fullname);
// FIXME: check checksum
- if (strcmp(fullname, filename) == 0) {
+ /* Check that the name does neither overrun the archive nor
+ * exceed MAX_PATHLEN.
+ */
+ headroom = max(archive->len - (int)((char *)archive->start -
fullname), MAX_PATHLEN);
+ if (strncmp(fullname, filename, headroom) == 0) {
printk(BIOS_SPEW, "LAR: CHECK %s @ %p\n", fullname,
header);
result->start = walk + ntohl(header->offset);
result->len = ntohl(header->len);
--
http://www.hailfinger.org/
--
coreboot mailing list
[email protected]
http://www.coreboot.org/mailman/listinfo/coreboot
