Fix restorevol crash on corrupt nDumpTimes value

If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Change-Id: Ib0edd9b1b6f540d8b0128151333d3bb0a8ef37fa
Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>

diff --git a/src/volser/restorevol.c b/src/volser/restorevol.c
index 653a6ac..f4a54b7 100644 (file)
--- a/src/volser/restorevol.c
+++ b/src/volser/restorevol.c
@@ -162,6 +162,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
        case 't':
            dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+           if (dh->nDumpTimes > MAXDUMPTIMES) {
+               fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+                       dh->nDumpTimes, MAXDUMPTIMES);
+               dh->nDumpTimes = MAXDUMPTIMES;
+           }
            for (i = 0; i < dh->nDumpTimes; i++) {
                dh->dumpTimes[i].from = ntohl(readvalue(4));
                dh->dumpTimes[i].to = ntohl(readvalue(4));