[PATCH 15/21] dm: Additional data_size/data_start checks

Eugene Syromyatnikov evgsyr at gmail.com
Sun Oct 9 13:31:02 UTC 2016


---
 dm.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/dm.c b/dm.c
index 814d7d2..289bc0d 100644
--- a/dm.c
+++ b/dm.c
@@ -293,7 +293,8 @@ dm_known_ioctl(struct tcb *tcp, const unsigned int code, long arg)
 	if (!ioc)
 		return 0;
 
-	if (umoven(tcp, arg, sizeof(*ioc) - sizeof(ioc->data), ioc) < 0) {
+	if ((umoven(tcp, arg, sizeof(*ioc) - sizeof(ioc->data), ioc) < 0) ||
+	    (ioc->data_size < offsetof(struct dm_ioctl, data_size))) {
 		free(ioc);
 		return 0;
 	}
@@ -335,6 +336,11 @@ dm_known_ioctl(struct tcb *tcp, const unsigned int code, long arg)
 		goto skip;
 	}
 
+	if (ioc->data_size < (sizeof(*ioc) - sizeof(ioc->data))) {
+		tprints(", /* Incorrect data_size */ ...");
+		goto skip;
+	}
+
 	dm_decode_device(code, ioc);
 	dm_decode_values(tcp, code, ioc);
 	dm_decode_flags(ioc);
-- 
1.7.10.4





More information about the Strace-devel mailing list