Print this page
3027 installgrub can segfault when encountering bogus data on disk
@@ -105,19 +105,25 @@
/*
* Given a pointer to the extra information area (a sequence of bb_header_ext_t
* + payload chunks), find the extended information structure.
*/
bblk_einfo_t *
-find_einfo(char *extra)
+find_einfo(char *extra, uint32_t size)
{
bb_header_ext_t *ext_header;
bblk_einfo_t *einfo;
uint32_t cksum;
assert(extra != NULL);
ext_header = (bb_header_ext_t *)extra;
+ if (ext_header->size > size) {
+ BOOT_DEBUG("Unable to find extended versioning information, "
+ "data size too big\n");
+ return (NULL);
+ }
+
cksum = compute_checksum(extra + sizeof (bb_header_ext_t),
ext_header->size);
BOOT_DEBUG("Extended information header checksum is %x\n", cksum);
if (cksum != ext_header->checksum) {