[PATCH] decode mtd/ubi ioctls

Mike Frysinger vapier at gentoo.org
Sun May 5 05:10:49 UTC 2013


On Saturday 04 May 2013 16:10:29 Dmitry V. Levin wrote:
> On Wed, May 01, 2013 at 11:35:30PM -0400, Mike Frysinger wrote:
> > +	/* 4*(n-1) + 3 for quotes and NUL */
> > +	char vol_name[(UBI_MAX_VOLUME_NAME + 1) * 4];
> > +
> > +	if (entering(tcp))
> > +		return 0;
> > +
> > +	switch (code) {
> > +	case UBI_IOCMKVOL:
> > +		if (!verbose(tcp) || umove(tcp, arg, &mkvol) < 0)
> > +			return 0;
> > +
> > +		tprintf(", {vol_id=%" PRIi32 ", alignment=%" PRIi32
> > +			", bytes=%" PRIi64 ", vol_type=", mkvol.vol_id,
> > +			mkvol.alignment, (int64_t)mkvol.bytes);
> > +		printxval(ubi_volume_types, mkvol.vol_type, "UBI_???_VOLUME");
> > +		string_quote(mkvol.name, vol_name, -1, mkvol.name_len);
> 
> Because mkvol.name_len is untrusted input, it can exceed
> UBI_MAX_VOLUME_NAME with good chance to overflow vol_name[].
> I suggest adding some kind of
> CLAMP(mkvol.name_len, 0, UBI_MAX_VOLUME_NAME).

yeah ... i thought of that when processing UBI_IOCRNVOL.ents, but forgot about 
the names.  i'll post a fix for it.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20130505/e530195d/attachment.bin>


More information about the Strace-devel mailing list