Check that the filename in the LAR does neither overrun the archive nor exceed MAX_PATHLEN.
Needs a generic max() function to compile. Where do we want that function?
Signed-off-by: Carl-Daniel Hailfinger c-d.hailfinger.devel.2006@gmx.net
Index: corebootv3-lar_overrun_prevention/lib/lar.c =================================================================== --- corebootv3-lar_overrun_prevention/lib/lar.c (Revision 785) +++ corebootv3-lar_overrun_prevention/lib/lar.c (Arbeitskopie) @@ -69,6 +69,7 @@ { char *walk, *fullname; struct lar_header *header; + int headroom;
printk(BIOS_INFO, "LAR: Attempting to open '%s'.\n", filename); printk(BIOS_SPEW, "LAR: Start %p len 0x%x\n", archive->start, @@ -123,7 +124,11 @@ printk(BIOS_SPEW, "LAR: seen member %s\n", fullname); // FIXME: check checksum
- if (strcmp(fullname, filename) == 0) { + /* Check that the name does neither overrun the archive nor + * exceed MAX_PATHLEN. + */ + headroom = max(archive->len - (int)((char *)archive->start - fullname), MAX_PATHLEN); + if (strncmp(fullname, filename, headroom) == 0) { printk(BIOS_SPEW, "LAR: CHECK %s @ %p\n", fullname, header); result->start = walk + ntohl(header->offset); result->len = ntohl(header->len);