On Wed, Apr 05, 2017 at 04:59:14PM +0800, Lu Fengqi wrote:
> Without validation of array_size, the dump-super may lead to a bad
> memory access.
>
> Signed-off-by: Lu Fengqi <lufq.fnst@xxxxxxxxxxxxxx>
> ---
> cmds-inspect-dump-super.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c
> index ee2c8e3a..48b5219c 100644
> --- a/cmds-inspect-dump-super.c
> +++ b/cmds-inspect-dump-super.c
> @@ -62,16 +62,23 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb)
> struct btrfs_key key;
> int item;
>
> - buf = malloc(sizeof(*buf) + sizeof(*sb));
> + buf = malloc(sizeof(*buf) + BTRFS_SUPER_INFO_SIZE);
This seems to be unnecessary, the super block structure should contain
entier sys_array.
> if (!buf) {
> error("not enough memory");
> - goto out;
> + return;
> }
> - write_extent_buffer(buf, sb, 0, sizeof(*sb));
> + write_extent_buffer(buf, sb, 0, BTRFS_SUPER_INFO_SIZE);
> array_size = btrfs_super_sys_array_size(sb);
>
> array_ptr = sb->sys_chunk_array;
> sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array);
> +
> + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) {
> + error("sys_array_size %u shouldn't exceed %u bytes",
> + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE);
> + goto out;
> + }
> +
> cur_offset = 0;
> item = 0;
>
> @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb)
> item++;
> }
>
> - free(buf);
> out:
> + free(buf);
> return;
>
> out_short_read:
> --
> 2.12.1
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
