[coreboot] [PATCH] v3: Sanity-check file name length in LAR
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2006 at gmx.net
Mon Aug 18 23:05:13 CEST 2008
Check that the filename in the LAR does neither overrun the
archive nor exceed MAX_PATHLEN.
Needs a generic max() function to compile. Where do we want
that function?
Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net>
Index: corebootv3-lar_overrun_prevention/lib/lar.c
===================================================================
--- corebootv3-lar_overrun_prevention/lib/lar.c (Revision 785)
+++ corebootv3-lar_overrun_prevention/lib/lar.c (Arbeitskopie)
@@ -69,6 +69,7 @@
{
char *walk, *fullname;
struct lar_header *header;
+ int headroom;
printk(BIOS_INFO, "LAR: Attempting to open '%s'.\n", filename);
printk(BIOS_SPEW, "LAR: Start %p len 0x%x\n", archive->start,
@@ -123,7 +124,11 @@
printk(BIOS_SPEW, "LAR: seen member %s\n", fullname);
// FIXME: check checksum
- if (strcmp(fullname, filename) == 0) {
+ /* Check that the name does neither overrun the archive nor
+ * exceed MAX_PATHLEN.
+ */
+ headroom = max(archive->len - (int)((char *)archive->start - fullname), MAX_PATHLEN);
+ if (strncmp(fullname, filename, headroom) == 0) {
printk(BIOS_SPEW, "LAR: CHECK %s @ %p\n", fullname, header);
result->start = walk + ntohl(header->offset);
result->len = ntohl(header->len);
--
http://www.hailfinger.org/
More information about the coreboot
mailing list