Kees Cook <keesc...@chromium.org> wrote: > This multiplication can push the cursor out of bounds. (n_data_dirents > is unverified). > ... > Both of these cases of n_sections multiplications can wrap. > Ultimately, you can end up with cursor close to zero, but n_sections > being giant.
Good points. I wonder if I should limit these to some low number, or just check that they don't exceed header_size, which also needs checking as you said. > ... (Also, do you want a "break" in there after the first .keylist is found, > or is this intentionally "use last key list"?) I hadn't considered that. Inserting a break is probably best, if only to curtail the processing time slightly. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
