Print this page
3027 installgrub can segfault when encountering bogus data on disk

Split Close
Expand all
Collapse all
          --- old/usr/src/cmd/boot/common/mboot_extra.c
          +++ new/usr/src/cmd/boot/common/mboot_extra.c
↓ open down ↓ 99 lines elided ↑ open up ↑
 100  100          }
 101  101  
 102  102          return (BC_ERROR);
 103  103  }
 104  104  
 105  105  /*
 106  106   * Given a pointer to the extra information area (a sequence of bb_header_ext_t
 107  107   * + payload chunks), find the extended information structure.
 108  108   */
 109  109  bblk_einfo_t *
 110      -find_einfo(char *extra)
      110 +find_einfo(char *extra, uint32_t size)
 111  111  {
 112  112          bb_header_ext_t         *ext_header;
 113  113          bblk_einfo_t            *einfo;
 114  114          uint32_t                cksum;
 115  115  
 116  116          assert(extra != NULL);
 117  117  
 118  118          ext_header = (bb_header_ext_t *)extra;
      119 +        if (ext_header->size > size) {
      120 +                BOOT_DEBUG("Unable to find extended versioning information, "
      121 +                    "data size too big\n");
      122 +                return (NULL);
      123 +        }
      124 +
 119  125          cksum = compute_checksum(extra + sizeof (bb_header_ext_t),
 120  126              ext_header->size);
 121  127          BOOT_DEBUG("Extended information header checksum is %x\n", cksum);
 122  128  
 123  129          if (cksum != ext_header->checksum) {
 124  130                  BOOT_DEBUG("Unable to find extended versioning information, "
 125  131                      "data looks corrupted\n");
 126  132                  return (NULL);
 127  133          }
 128  134  
↓ open down ↓ 52 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX