state: backend_raw: add sanity check of data_len during load

The length of the data must fit into the remaining available space until the next copy of the data. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-05-21 15:57:54 +02:00 · 2015-05-21 15:57:54 +02:00 · c028c09a4b
parent 3d809e6595
commit c028c09a4b
1 changed files with 11 additions and 0 deletions
--- a/common/state.c
+++ b/common/state.c
@ -1053,14 +1053,18 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
 	uint32_t crc;
 	struct state_variable *sv;
 	struct backend_raw_header header = {};
+	unsigned long max_len;
 	int ret;
 	void *buf;

+	max_len = backend_raw->stride;
+
 	ret = lseek(fd, offset, SEEK_SET);
 	if (ret < 0)
 		return ret;

 	ret = read_full(fd, &header, sizeof(header));
+	max_len -= sizeof(header);
 	if (ret < 0)
 		return ret;

@ -1079,6 +1083,13 @@ static int backend_raw_load_one(struct state_backend_raw *backend_raw,
 		return -EINVAL;
 	}

+	if (header.data_len > max_len) {
+		dev_err(&state->dev,
+			"invalid data_len %u in header, max is %lu\n",
+			header.data_len, max_len);
+		return -EINVAL;
+	}
+
 	buf = xzalloc(header.data_len);

 	ret = read_full(fd, buf, header.data_len);