Without validation of array_size, the dump-super may lead to a bad
memory access.

Signed-off-by: Lu Fengqi <lufq.f...@cn.fujitsu.com>
---
v2:
        Accept David's advice, no longer use BTRFS_SUPER_INFO_SIZE instead of 
sizeof(*sb).
---
 cmds-inspect-dump-super.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c
index ee2c8e3a..b65bd2d9 100644
--- a/cmds-inspect-dump-super.c
+++ b/cmds-inspect-dump-super.c
@@ -65,13 +65,20 @@ static void print_sys_chunk_array(struct btrfs_super_block 
*sb)
        buf = malloc(sizeof(*buf) + sizeof(*sb));
        if (!buf) {
                error("not enough memory");
-               goto out;
+               return;
        }
        write_extent_buffer(buf, sb, 0, sizeof(*sb));
        array_size = btrfs_super_sys_array_size(sb);
 
        array_ptr = sb->sys_chunk_array;
        sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array);
+
+       if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) {
+               error("sys_array_size %u shouldn't exceed %u bytes",
+                               array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE);
+               goto out;
+       }
+
        cur_offset = 0;
        item = 0;
 
@@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block 
*sb)
                item++;
        }
 
-       free(buf);
 out:
+       free(buf);
        return;
 
 out_short_read:
-- 
2.12.2



--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to