Print this page
3027 installgrub can segfault when encountering bogus data on disk

*** 105,123 **** /* * Given a pointer to the extra information area (a sequence of bb_header_ext_t * + payload chunks), find the extended information structure. */ bblk_einfo_t * ! find_einfo(char *extra) { bb_header_ext_t *ext_header; bblk_einfo_t *einfo; uint32_t cksum; assert(extra != NULL); ext_header = (bb_header_ext_t *)extra; cksum = compute_checksum(extra + sizeof (bb_header_ext_t), ext_header->size); BOOT_DEBUG("Extended information header checksum is %x\n", cksum); if (cksum != ext_header->checksum) { --- 105,129 ---- /* * Given a pointer to the extra information area (a sequence of bb_header_ext_t * + payload chunks), find the extended information structure. */ bblk_einfo_t * ! find_einfo(char *extra, uint32_t size) { bb_header_ext_t *ext_header; bblk_einfo_t *einfo; uint32_t cksum; assert(extra != NULL); ext_header = (bb_header_ext_t *)extra; + if (ext_header->size > size) { + BOOT_DEBUG("Unable to find extended versioning information, " + "data size too big\n"); + return (NULL); + } + cksum = compute_checksum(extra + sizeof (bb_header_ext_t), ext_header->size); BOOT_DEBUG("Extended information header checksum is %x\n", cksum); if (cksum != ext_header->checksum) {