state: backend_raw: add sanity check of data_len during load
The length of the data must fit into the remaining available space until the next copy of the data. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This commit is contained in:
parent
ab1f4aa928
commit
51b0b010be
1 changed files with 11 additions and 0 deletions
|
@ -1053,14 +1053,18 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
|
||||||
uint32_t crc;
|
uint32_t crc;
|
||||||
struct state_variable *sv;
|
struct state_variable *sv;
|
||||||
struct backend_raw_header header = {};
|
struct backend_raw_header header = {};
|
||||||
|
unsigned long max_len;
|
||||||
int ret;
|
int ret;
|
||||||
void *buf;
|
void *buf;
|
||||||
|
|
||||||
|
max_len = backend_raw->stride;
|
||||||
|
|
||||||
ret = lseek(fd, offset, SEEK_SET);
|
ret = lseek(fd, offset, SEEK_SET);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = read_full(fd, &header, sizeof(header));
|
ret = read_full(fd, &header, sizeof(header));
|
||||||
|
max_len -= sizeof(header);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
@ -1079,6 +1083,13 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (header.data_len > max_len) {
|
||||||
|
dev_err(&state->dev,
|
||||||
|
"invalid data_len %u in header, max is %lu\n",
|
||||||
|
header.data_len, max_len);
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
buf = xzalloc(header.data_len);
|
buf = xzalloc(header.data_len);
|
||||||
|
|
||||||
ret = read_full(fd, buf, header.data_len);
|
ret = read_full(fd, buf, header.data_len);
|
||||||
|
|
Loading…
Reference in a new issue