Fix restorevol crash on corrupt nDumpTimes value
authorRuss Allbery <rra@stanford.edu>
Sat, 29 Jun 2013 21:27:55 +0000 (14:27 -0700)
committerDerrick Brashear <shadow@your-file-system.com>
Fri, 12 Jul 2013 15:02:37 +0000 (08:02 -0700)
If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Change-Id: Ib0edd9b1b6f540d8b0128151333d3bb0a8ef37fa
Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>

src/volser/restorevol.c

index 653a6ac..f4a54b7 100644 (file)
@@ -162,6 +162,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
        case 't':
            dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+           if (dh->nDumpTimes > MAXDUMPTIMES) {
+               fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+                       dh->nDumpTimes, MAXDUMPTIMES);
+               dh->nDumpTimes = MAXDUMPTIMES;
+           }
            for (i = 0; i < dh->nDumpTimes; i++) {
                dh->dumpTimes[i].from = ntohl(readvalue(4));
                dh->dumpTimes[i].to = ntohl(readvalue(4));