ARM: rpc: ecard: bound variable-length chunk reads

[PATCH] ARM: rpc: ecard: bound variable-length chunk reads

Pengpeng Hou posted 1 patch 4 days, 7 hours ago

Download mbox

arch/arm/mach-rpc/ecard.c | 3 +++
1 file changed, 3 insertions(+)

Expand all Fold all

[PATCH] ARM: rpc: ecard: bound variable-length chunk reads

Posted by Pengpeng Hou 4 days, 7 hours ago

ecard_readchunk() reads variable-length string chunk payloads into a fixed 256-byte local buffer without checking whether the encoded chunk length actually fits.

Treat overlong string chunks as invalid and terminate accepted ones before copying them into the exported chunk directory buffer.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/arm/mach-rpc/ecard.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/arm/mach-rpc/ecard.c b/arch/arm/mach-rpc/ecard.c
index 972465840548..1340ef0364f8 100644
--- a/arch/arm/mach-rpc/ecard.c
+++ b/arch/arm/mach-rpc/ecard.c
@@ -367,9 +367,12 @@ int ecard_readchunk(struct in_chunk_dir *cd, ecard_t *ec, int id, int num)
 	if (c_id(&excd) & 0x80) {
 		switch (c_id(&excd) & 0x70) {
 		case 0x70:
+			if (c_len(&excd) >= sizeof(excd.d.string))
+				return 0;
 			ecard_readbytes((unsigned char *)excd.d.string, ec,
 					(int)c_start(&excd), c_len(&excd),
 					useld);
+			excd.d.string[c_len(&excd)] = '\0';
 			break;
 		case 0x00:
 			break;
-- 
2.50.1 (Apple Git-155)