summaryrefslogtreecommitdiff
path: root/send-stream.c
diff options
context:
space:
mode:
authorDavid Sterba <dsterba@suse.com>2016-11-15 14:38:19 +0100
committerDavid Sterba <dsterba@suse.com>2016-11-23 10:49:57 +0100
commit23ac27781eb54ccdc60b2738f2d3ea1ff67966df (patch)
treed7d301971d5f8461702e8cad1c418fdd3c1da3d0 /send-stream.c
parentd63854d1b617a9206efaa2d8a60669bea9c16737 (diff)
btrfs-progs: send-stream: check command length before reading from stream
The command + header length could not fit to the intermediate buffer. Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'send-stream.c')
-rw-r--r--send-stream.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/send-stream.c b/send-stream.c
index 502e43ec..450854f6 100644
--- a/send-stream.c
+++ b/send-stream.c
@@ -82,6 +82,7 @@ static int read_cmd(struct btrfs_send_stream *sctx)
memset(sctx->cmd_attrs, 0, sizeof(sctx->cmd_attrs));
+ ASSERT(sizeof(*sctx->cmd_hdr) <= sizeof(sctx->read_buf));
ret = read_buf(sctx, sctx->read_buf, sizeof(*sctx->cmd_hdr));
if (ret < 0)
goto out;
@@ -95,6 +96,13 @@ static int read_cmd(struct btrfs_send_stream *sctx)
cmd = le16_to_cpu(sctx->cmd_hdr->cmd);
cmd_len = le32_to_cpu(sctx->cmd_hdr->len);
+ if (cmd_len + sizeof(*sctx->cmd_hdr) >= sizeof(sctx->read_buf)) {
+ ret = -EINVAL;
+ error("command length %d too big for buffer %zu",
+ cmd_len, sizeof(sctx->read_buf));
+ goto out;
+ }
+
data = sctx->read_buf + sizeof(*sctx->cmd_hdr);
ret = read_buf(sctx, data, cmd_len);
if (ret < 0)