Without validation of array_size, the dump-super may lead to a bad memory access.
Signed-off-by: Lu Fengqi <[email protected]> --- cmds-inspect-dump-super.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c index ee2c8e3a..48b5219c 100644 --- a/cmds-inspect-dump-super.c +++ b/cmds-inspect-dump-super.c @@ -62,16 +62,23 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) struct btrfs_key key; int item; - buf = malloc(sizeof(*buf) + sizeof(*sb)); + buf = malloc(sizeof(*buf) + BTRFS_SUPER_INFO_SIZE); if (!buf) { error("not enough memory"); - goto out; + return; } - write_extent_buffer(buf, sb, 0, sizeof(*sb)); + write_extent_buffer(buf, sb, 0, BTRFS_SUPER_INFO_SIZE); array_size = btrfs_super_sys_array_size(sb); array_ptr = sb->sys_chunk_array; sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array); + + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) { + error("sys_array_size %u shouldn't exceed %u bytes", + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE); + goto out; + } + cur_offset = 0; item = 0; @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) item++; } - free(buf); out: + free(buf); return; out_short_read: -- 2.12.1 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
