Serguey Parkhomovsky wrote: > Ping? This is the same sanity check that's done in nm(1)'s ELF handling.
Make sense to me. Tentative ok mmcc@ Alternatively, this check could be added to __elf_is_ok__, which is called right above where you added it. However, the definition of the function would have to change slightly; it's documented as checking whether the ELF header matches the target platform. > On Thu, Dec 10, 2015 at 09:40:11AM -0800, Serguey Parkhomovsky wrote: > > When dealing with a malformed ELF header, e_shentsize may be 0. This > > causes an out of bounds read while finding the symbol table on line 141. > > > > Found using afl. > > > > Index: nlist.c > > =================================================================== > > RCS file: /cvs/src/lib/libc/gen/nlist.c,v > > retrieving revision 1.65 > > diff -u -p -r1.65 nlist.c > > --- nlist.c 16 Oct 2015 16:54:38 -0000 1.65 > > +++ nlist.c 10 Dec 2015 16:36:26 -0000 > > @@ -102,6 +102,10 @@ __fdnlist(int fd, struct nlist *list) > > !__elf_is_okay__(&ehdr) || fstat(fd, &st) < 0) > > return (-1); > > > > + /* Make sure section header size is not too small */ > > + if (ehdr.e_shentsize < sizeof(Elf_Shdr)) > > + return (-1); > > + > > /* calculate section header table size */ > > shdr_size = ehdr.e_shentsize * ehdr.e_shnum; > > >