From: "Volodymyr G. Lukiianyk" <volodymyrgl@gmail.com>
To: Greg Ungerer <gerg@uclinux.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
Date: Tue, 26 Aug 2008 20:57:50 +0300 [thread overview]
Message-ID: <48B4441E.5030108@gmail.com> (raw)
In-Reply-To: <48B442C3.2000309@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 840 bytes --]
There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.
Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@gmail.com>
---
Sorry for repost, looks like I forgot to remove "--color" when saved diff
attached to the previous e-mail.
I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.
WARNING: the proposed patch wasn't properly tested.
[-- Attachment #2: binfmt_flat_decompress_fix.diff --]
[-- Type: text/x-patch, Size: 925 bytes --]
diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index dfc0197..ccb781a 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -229,13 +229,13 @@ static int decompress_exec(
ret = 10;
if (buf[3] & EXTRA_FIELD) {
ret += 2 + buf[10] + (buf[11] << 8);
- if (unlikely(LBUFSIZE == ret)) {
+ if (unlikely(LBUFSIZE <= ret)) {
DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n");
goto out_free_buf;
}
}
if (buf[3] & ORIG_NAME) {
- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
+ while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n");
@@ -243,7 +243,7 @@ static int decompress_exec(
}
}
if (buf[3] & COMMENT) {
- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
+ while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");
prev parent reply other threads:[~2008-08-26 17:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-26 17:52 [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c Volodymyr G. Lukiianyk
2008-08-26 17:57 ` Volodymyr G. Lukiianyk [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48B4441E.5030108@gmail.com \
--to=volodymyrgl@gmail.com \
--cc=gerg@uclinux.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.