btrfs-progs: dump-super: check array_size in print_sys_chunk_array

Without validation of array_size, the dump-super may lead to a bad memory access. Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com> Signed-off-by: David Sterba <dsterba@suse.com>
author: Lu Fengqi <lufq.fnst@cn.fujitsu.com> 2017-04-20 16:07:56 +0800
committer: David Sterba <dsterba@suse.com> 2017-04-20 13:29:13 +0200
commit: d5213118a5cb36c0a5bfc14131a36650688a9094 (patch)
tree: 7e8159aa3ebd133ae97a516e555fbfd3aa504fb5 /cmds-inspect-dump-super.c
parent: beb924e12d33f11d76c54fad003c6ae3adc9fcc7 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c
index ee2c8e3a..b65bd2d9 100644
--- a/cmds-inspect-dump-super.c
+++ b/cmds-inspect-dump-super.c
@@ -65,13 +65,20 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb)
 	buf = malloc(sizeof(*buf) + sizeof(*sb));
 	if (!buf) {
 		error("not enough memory");
-		goto out;
+		return;
 	}
 	write_extent_buffer(buf, sb, 0, sizeof(*sb));
 	array_size = btrfs_super_sys_array_size(sb);
 
 	array_ptr = sb->sys_chunk_array;
 	sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array);
+
+	if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) {
+		error("sys_array_size %u shouldn't exceed %u bytes",
+				array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE);
+		goto out;
+	}
+
 	cur_offset = 0;
 	item = 0;
 
@@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb)
 		item++;
 	}
 
-	free(buf);
 out:
+	free(buf);
 	return;
 
 out_short_read:
author	Lu Fengqi <lufq.fnst@cn.fujitsu.com>	2017-04-20 16:07:56 +0800
committer	David Sterba <dsterba@suse.com>	2017-04-20 13:29:13 +0200
commit	d5213118a5cb36c0a5bfc14131a36650688a9094 (patch)
tree	7e8159aa3ebd133ae97a516e555fbfd3aa504fb5 /cmds-inspect-dump-super.c
parent	beb924e12d33f11d76c54fad003c6ae3adc9fcc7 (diff)