Module Name: src Committed By: maxv Date: Sat Jun 22 06:45:47 UTC 2019
Modified Files: src/sys/dev/dkwedge: dkwedge_gpt.c Log Message: Fix buffer overflow. Triggerable by plugging a specially-crafted USB key in the machine (the kernel automatically tries to parse its GPT header). The check could maybe be appeased to allow bigger sizes, but we've never done that, so I'm leaving it as-is. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/dev/dkwedge/dkwedge_gpt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/dkwedge/dkwedge_gpt.c diff -u src/sys/dev/dkwedge/dkwedge_gpt.c:1.22 src/sys/dev/dkwedge/dkwedge_gpt.c:1.23 --- src/sys/dev/dkwedge/dkwedge_gpt.c:1.22 Wed Apr 10 15:19:15 2019 +++ src/sys/dev/dkwedge/dkwedge_gpt.c Sat Jun 22 06:45:46 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $ */ +/* $NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $ */ /*- * Copyright (c) 2004 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -175,7 +175,7 @@ dkwedge_discover_gpt(struct disk *pdk, s entries = le32toh(hdr->hdr_entries); entsz = roundup(le32toh(hdr->hdr_entsz), 8); - if (entsz > roundup(sizeof(struct gpt_ent), 8)) { + if (entsz != sizeof(struct gpt_ent)) { aprint_error("%s: bogus GPT entry size: %u\n", pdk->dk_name, le32toh(hdr->hdr_entsz)); error = EINVAL;