[PATCH] decode mtd/ubi ioctls
Mike Frysinger
vapier at gentoo.org
Sun May 5 05:10:49 UTC 2013
On Saturday 04 May 2013 16:10:29 Dmitry V. Levin wrote:
> On Wed, May 01, 2013 at 11:35:30PM -0400, Mike Frysinger wrote:
> > + /* 4*(n-1) + 3 for quotes and NUL */
> > + char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
> > +
> > + if (entering(tcp))
> > + return 0;
> > +
> > + switch (code) {
> > + case UBI_IOCMKVOL:
> > + if (!verbose(tcp) || umove(tcp, arg, &mkvol) < 0)
> > + return 0;
> > +
> > + tprintf(", {vol_id=%" PRIi32 ", alignment=%" PRIi32
> > + ", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
> > + mkvol.alignment, (int64_t)mkvol.bytes);
> > + printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
> > + string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
>
> Because mkvol.name_len is untrusted input, it can exceed
> UBI_MAX_VOLUME_NAME with good chance to overflow vol_name[].
> I suggest adding some kind of
> CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME).
yeah ... i thought of that when processing UBI_IOCRNVOL.ents, but forgot about
the names. i'll post a fix for it.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20130505/e530195d/attachment.bin>
More information about the Strace-devel
mailing list