diff options
author | Marc Kleine-Budde <mkl@pengutronix.de> | 2015-05-26 13:37:52 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2015-05-26 14:33:18 +0200 |
commit | 51b0b010beb9cc9c0c86ceab875b7404956a560a (patch) | |
tree | a9b66bb02975def71bc3e4a701a716cb45155440 | |
parent | ab1f4aa928f3032c28407dac51f072a0b6a22754 (diff) | |
download | barebox-51b0b010beb9cc9c0c86ceab875b7404956a560a.tar.gz barebox-51b0b010beb9cc9c0c86ceab875b7404956a560a.tar.xz |
state: backend_raw: add sanity check of data_len during load
The length of the data must fit into the remaining available space until the
next copy of the data.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | common/state.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/common/state.c b/common/state.c index 55265449b8..6e4d7169bc 100644 --- a/common/state.c +++ b/common/state.c @@ -1053,14 +1053,18 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw, uint32_t crc; struct state_variable *sv; struct backend_raw_header header = {}; + unsigned long max_len; int ret; void *buf; + max_len = backend_raw->stride; + ret = lseek(fd, offset, SEEK_SET); if (ret < 0) return ret; ret = read_full(fd, &header, sizeof(header)); + max_len -= sizeof(header); if (ret < 0) return ret; @@ -1079,6 +1083,13 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw, return -EINVAL; } + if (header.data_len > max_len) { + dev_err(&state->dev, + "invalid data_len %u in header, max is %lu\n", + header.data_len, max_len); + return -EINVAL; + } + buf = xzalloc(header.data_len); ret = read_full(fd, buf, header.data_len); |