[syslinux] [PATCH 4/5] installers: fix a possible buffer overflow when looking for LDLINUX_MAGIC

Pete Batard pete at akeo.ie
Tue Mar 8 03:59:34 PST 2016


As promised. This makes sure to remove the size of the area we need 
using a similar for loop as the one we use for the checksum later on.

You'll notice that we use (i <= dw) instead of (i < dw) as 'struct 
patch_area', which we removed from our length, does contain 
LDLINUX_MAGIC as its first DWORD, and we want to be able to locate that 
magic even if it's at the very end of our buffer.

Maybe a more explicit way would have been to have:
   dw = (boot_image_len - sizeof(struct patch_area) + sizeof(uint32_t)) 
 >> 2;
and use the expected (i < dw) but I'm not sure we want to go that far...

Regards,

/Pete
-------------- next part --------------
>From 5a9b5b9f9032e7e5e3377024da775917dddfb364 Mon Sep 17 00:00:00 2001
From: Pete Batard <pete at akeo.ie>
Date: Tue, 8 Mar 2016 11:45:44 +0000
Subject: [PATCH] installers: fix a possible buffer overflow when looking for
 LDLINUX_MAGIC

---
 libinstaller/syslxmod.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libinstaller/syslxmod.c b/libinstaller/syslxmod.c
index 7bf4d91..80d0b43 100644
--- a/libinstaller/syslxmod.c
+++ b/libinstaller/syslxmod.c
@@ -122,10 +122,12 @@ int syslinux_patch(const sector_t *sectp, int nsectors,
 	return -1;		/* The actual file is too small for content */
 
     /* Search for LDLINUX_MAGIC to find the patch area */
-    for (wp = (const uint32_t _slimg *)boot_image;
-	 get_32_sl(wp) != LDLINUX_MAGIC;
-	 wp++)
-	;
+    dw = (boot_image_len - sizeof(struct patch_area)) >> 2;
+    for (i = 0, wp = (const uint32_t _slimg *)boot_image;
+	 (i <= dw) && ((get_32_sl(wp) != LDLINUX_MAGIC));
+	 i++, wp++)
+    if (i > dw)	/* Not found */
+	return -1;
     patcharea = (struct patch_area _slimg *)wp;
     epa = slptr(boot_image, &patcharea->epaoffset);
 
-- 
1.9.5.msysgit.1



More information about the Syslinux mailing list