diff options
author | Lu Fengqi <lufq.fnst@cn.fujitsu.com> | 2017-04-20 16:07:56 +0800 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2017-04-20 13:29:13 +0200 |
commit | d5213118a5cb36c0a5bfc14131a36650688a9094 (patch) | |
tree | 7e8159aa3ebd133ae97a516e555fbfd3aa504fb5 /cmds-inspect-dump-super.c | |
parent | beb924e12d33f11d76c54fad003c6ae3adc9fcc7 (diff) |
btrfs-progs: dump-super: check array_size in print_sys_chunk_array
Without validation of array_size, the dump-super may lead to a bad
memory access.
Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'cmds-inspect-dump-super.c')
-rw-r--r-- | cmds-inspect-dump-super.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c index ee2c8e3a..b65bd2d9 100644 --- a/cmds-inspect-dump-super.c +++ b/cmds-inspect-dump-super.c @@ -65,13 +65,20 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) buf = malloc(sizeof(*buf) + sizeof(*sb)); if (!buf) { error("not enough memory"); - goto out; + return; } write_extent_buffer(buf, sb, 0, sizeof(*sb)); array_size = btrfs_super_sys_array_size(sb); array_ptr = sb->sys_chunk_array; sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array); + + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) { + error("sys_array_size %u shouldn't exceed %u bytes", + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE); + goto out; + } + cur_offset = 0; item = 0; @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) item++; } - free(buf); out: + free(buf); return; out_short_read: |