[syslinux] [PATCH 4/5] installers: fix a possible buffer overflow when looking for LDLINUX_MAGIC
Pete Batard
pete at akeo.ie
Tue Mar 8 03:59:34 PST 2016
As promised. This makes sure to remove the size of the area we need
using a similar for loop as the one we use for the checksum later on.
You'll notice that we use (i <= dw) instead of (i < dw) as 'struct
patch_area', which we removed from our length, does contain
LDLINUX_MAGIC as its first DWORD, and we want to be able to locate that
magic even if it's at the very end of our buffer.
Maybe a more explicit way would have been to have:
dw = (boot_image_len - sizeof(struct patch_area) + sizeof(uint32_t))
>> 2;
and use the expected (i < dw) but I'm not sure we want to go that far...
Regards,
/Pete
-------------- next part --------------
>From 5a9b5b9f9032e7e5e3377024da775917dddfb364 Mon Sep 17 00:00:00 2001
From: Pete Batard <pete at akeo.ie>
Date: Tue, 8 Mar 2016 11:45:44 +0000
Subject: [PATCH] installers: fix a possible buffer overflow when looking for
LDLINUX_MAGIC
---
libinstaller/syslxmod.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libinstaller/syslxmod.c b/libinstaller/syslxmod.c
index 7bf4d91..80d0b43 100644
--- a/libinstaller/syslxmod.c
+++ b/libinstaller/syslxmod.c
@@ -122,10 +122,12 @@ int syslinux_patch(const sector_t *sectp, int nsectors,
return -1; /* The actual file is too small for content */
/* Search for LDLINUX_MAGIC to find the patch area */
- for (wp = (const uint32_t _slimg *)boot_image;
- get_32_sl(wp) != LDLINUX_MAGIC;
- wp++)
- ;
+ dw = (boot_image_len - sizeof(struct patch_area)) >> 2;
+ for (i = 0, wp = (const uint32_t _slimg *)boot_image;
+ (i <= dw) && ((get_32_sl(wp) != LDLINUX_MAGIC));
+ i++, wp++)
+ if (i > dw) /* Not found */
+ return -1;
patcharea = (struct patch_area _slimg *)wp;
epa = slptr(boot_image, &patcharea->epaoffset);
--
1.9.5.msysgit.1
More information about the Syslinux
mailing list