Print this page
3027 installgrub can segfault when encountering bogus data on disk
*** 105,123 ****
/*
* Given a pointer to the extra information area (a sequence of bb_header_ext_t
* + payload chunks), find the extended information structure.
*/
bblk_einfo_t *
! find_einfo(char *extra)
{
bb_header_ext_t *ext_header;
bblk_einfo_t *einfo;
uint32_t cksum;
assert(extra != NULL);
ext_header = (bb_header_ext_t *)extra;
cksum = compute_checksum(extra + sizeof (bb_header_ext_t),
ext_header->size);
BOOT_DEBUG("Extended information header checksum is %x\n", cksum);
if (cksum != ext_header->checksum) {
--- 105,129 ----
/*
* Given a pointer to the extra information area (a sequence of bb_header_ext_t
* + payload chunks), find the extended information structure.
*/
bblk_einfo_t *
! find_einfo(char *extra, uint32_t size)
{
bb_header_ext_t *ext_header;
bblk_einfo_t *einfo;
uint32_t cksum;
assert(extra != NULL);
ext_header = (bb_header_ext_t *)extra;
+ if (ext_header->size > size) {
+ BOOT_DEBUG("Unable to find extended versioning information, "
+ "data size too big\n");
+ return (NULL);
+ }
+
cksum = compute_checksum(extra + sizeof (bb_header_ext_t),
ext_header->size);
BOOT_DEBUG("Extended information header checksum is %x\n", cksum);
if (cksum != ext_header->checksum) {