DDF: validate metadata_update size before using it.

process_update already checks update->len, for all but the 'magic', prepare_update doesn't at all. So add tests to prepare_update that we don't exceed the buffer. This will consequently protect process_update from looking for a 'magic' which isn't there. Reported-by: Vincent Berg <vberg@ioactive.com> Signed-off-by: NeilBrown <neilb@suse.de>
author: NeilBrown <neilb@suse.de> 2014-07-10 15:59:06 +1000
committer: NeilBrown <neilb@suse.de> 2014-07-10 15:59:06 +1000
commit: 1f17f96b538793a0e665e471f602c6fa490ec167 (patch)
tree: e2f88cd10208c5f3899d6d1ecf28789bfa3e66f8
parent: 5fe6f031d9a21a935f0ef1b1fbdb314b53f2199f (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/super-ddf.c b/super-ddf.c
index 1e43ca26..8957c2e3 100644
--- a/super-ddf.c
+++ b/super-ddf.c
@@ -4914,10 +4914,16 @@ static int ddf_prepare_update(struct supertype *st,
 	 * If a malloc is needed, do it here.
 	 */
 	struct ddf_super *ddf = st->sb;
-	be32 *magic = (be32 *)update->buf;
+	be32 *magic;
+	if (update->len < 4)
+		return 0;
+	magic = (be32 *)update->buf;
 	if (be32_eq(*magic, DDF_VD_CONF_MAGIC)) {
 		struct vcl *vcl;
-		struct vd_config *conf = (struct vd_config *) update->buf;
+		struct vd_config *conf;
+		if (update->len < (int)sizeof(*conf))
+			return 0;
+		conf = (struct vd_config *) update->buf;
 		if (posix_memalign(&update->space, 512,
 				   offsetof(struct vcl, conf)
 				   + ddf->conf_rec_len * 512) != 0) {
author	NeilBrown <neilb@suse.de>	2014-07-10 15:59:06 +1000
committer	NeilBrown <neilb@suse.de>	2014-07-10 15:59:06 +1000
commit	1f17f96b538793a0e665e471f602c6fa490ec167 (patch)
tree	e2f88cd10208c5f3899d6d1ecf28789bfa3e66f8
parent	5fe6f031d9a21a935f0ef1b1fbdb314b53f2199f (diff)