From 23ac27781eb54ccdc60b2738f2d3ea1ff67966df Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Tue, 15 Nov 2016 14:38:19 +0100
Subject: btrfs-progs: send-stream: check command length before reading from
 stream

The command + header length could not fit to the intermediate buffer.

Signed-off-by: David Sterba <dsterba@suse.com>
---
 send-stream.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'send-stream.c')

diff --git a/send-stream.c b/send-stream.c
index 502e43ec..450854f6 100644
--- a/send-stream.c
+++ b/send-stream.c
@@ -82,6 +82,7 @@ static int read_cmd(struct btrfs_send_stream *sctx)
 
 	memset(sctx->cmd_attrs, 0, sizeof(sctx->cmd_attrs));
 
+	ASSERT(sizeof(*sctx->cmd_hdr) <= sizeof(sctx->read_buf));
 	ret = read_buf(sctx, sctx->read_buf, sizeof(*sctx->cmd_hdr));
 	if (ret < 0)
 		goto out;
@@ -95,6 +96,13 @@ static int read_cmd(struct btrfs_send_stream *sctx)
 	cmd = le16_to_cpu(sctx->cmd_hdr->cmd);
 	cmd_len = le32_to_cpu(sctx->cmd_hdr->len);
 
+	if (cmd_len + sizeof(*sctx->cmd_hdr) >= sizeof(sctx->read_buf)) {
+		ret = -EINVAL;
+		error("command length %d too big for buffer %zu",
+				cmd_len, sizeof(sctx->read_buf));
+		goto out;
+	}
+
 	data = sctx->read_buf + sizeof(*sctx->cmd_hdr);
 	ret = read_buf(sctx, data, cmd_len);
 	if (ret < 0)
-- 
cgit v1.2.3