Without validation of array_size, the dump-super may lead to a bad memory access.
Signed-off-by: Lu Fengqi <[email protected]> --- v2: Accept David's advice, no longer use BTRFS_SUPER_INFO_SIZE instead of sizeof(*sb). --- cmds-inspect-dump-super.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c index ee2c8e3a..b65bd2d9 100644 --- a/cmds-inspect-dump-super.c +++ b/cmds-inspect-dump-super.c @@ -65,13 +65,20 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) buf = malloc(sizeof(*buf) + sizeof(*sb)); if (!buf) { error("not enough memory"); - goto out; + return; } write_extent_buffer(buf, sb, 0, sizeof(*sb)); array_size = btrfs_super_sys_array_size(sb); array_ptr = sb->sys_chunk_array; sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array); + + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) { + error("sys_array_size %u shouldn't exceed %u bytes", + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE); + goto out; + } + cur_offset = 0; item = 0; @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) item++; } - free(buf); out: + free(buf); return; out_short_read: -- 2.12.2 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
