diff options
author | Jean Delvare <jdelvare@suse.de> | 2018-09-13 09:25:53 +0200 |
---|---|---|
committer | Jean Delvare <jdelvare@suse.de> | 2018-09-13 09:25:53 +0200 |
commit | 95c712fe7a58c98b85165f11a6afb83562a14fd7 (patch) | |
tree | dd029e883e229a77289c35952cad6b93abf09097 | |
parent | 78539b06117cb3c533d08f14bdf7c7ea4a1a4f0a (diff) | |
download | dmidecode-git-95c712fe7a58c98b85165f11a6afb83562a14fd7.tar.gz |
dmidecode: Sanity check the table offset in dump files
If the offset (base) is beyond the end of the file (statbuf.st_size),
the computations will lead to an integer overflow. As it doesn't make
sense in the first place, check for this condition and fail
immediately.
This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Fixes: bd78a5dfd470 ("dmidecode: Don't allocate more memory than needed")
-rw-r--r-- | util.c | 11 |
1 files changed, 9 insertions, 2 deletions
@@ -2,7 +2,7 @@ * Common "util" functions * This file is part of the dmidecode project. * - * Copyright (C) 2002-2017 Jean Delvare <jdelvare@suse.de> + * Copyright (C) 2002-2018 Jean Delvare <jdelvare@suse.de> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -117,7 +117,14 @@ void *read_file(off_t base, size_t *max_len, const char *filename) */ if (fstat(fd, &statbuf) == 0) { - if (base + (off_t)*max_len > statbuf.st_size) + if (base >= statbuf.st_size) + { + fprintf(stderr, "%s: Can't read data beyond EOF\n", + filename); + p = NULL; + goto out; + } + if (*max_len > (size_t)statbuf.st_size - base) *max_len = statbuf.st_size - base; } |