Module Name: src
Committed By: maxv
Date: Sat Jun 22 06:45:47 UTC 2019
Modified Files:
src/sys/dev/dkwedge: dkwedge_gpt.c
Log Message:
Fix buffer overflow. Triggerable by plugging a specially-crafted USB key
in the machine (the kernel automatically tries to parse its GPT header).
The check could maybe be appeased to allow bigger sizes, but we've never
done that, so I'm leaving it as-is.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/dev/dkwedge/dkwedge_gpt.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/dkwedge/dkwedge_gpt.c
diff -u src/sys/dev/dkwedge/dkwedge_gpt.c:1.22 src/sys/dev/dkwedge/dkwedge_gpt.c:1.23
--- src/sys/dev/dkwedge/dkwedge_gpt.c:1.22 Wed Apr 10 15:19:15 2019
+++ src/sys/dev/dkwedge/dkwedge_gpt.c Sat Jun 22 06:45:46 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $ */
+/* $NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $ */
/*-
* Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -175,7 +175,7 @@ dkwedge_discover_gpt(struct disk *pdk, s
entries = le32toh(hdr->hdr_entries);
entsz = roundup(le32toh(hdr->hdr_entsz), 8);
- if (entsz > roundup(sizeof(struct gpt_ent), 8)) {
+ if (entsz != sizeof(struct gpt_ent)) {
aprint_error("%s: bogus GPT entry size: %u\n",
pdk->dk_name, le32toh(hdr->hdr_entsz));
error = EINVAL;
