[parted-devel] aix.c: Avoid memory overrun. Don't assume
logical sector size <= 512B
David Cantrell
dcantrell at redhat.com
Thu Mar 8 16:11:29 CET 2007
On Thu, 2007-03-08 at 15:43 +0100, Jim Meyering wrote:
> Here's a fix for the first memory overrun bug I found:
>
> aix.c: Avoid memory overrun. Don't assume logical sector size <= 512B
> * libparted/labels/aix.c (aix_probe): Return 0 if the
> sector size is larger than our AixLabel size.
> (aix_clobber): Rather than PED_ASSERT'ing that aix_probe returns 1,
> simply return 0 if aix_probe returns fails.
>
> diff --git a/libparted/labels/aix.c b/libparted/labels/aix.c
> index a16ead4..9e2a7bb 100644
> --- a/libparted/labels/aix.c
> +++ b/libparted/labels/aix.c
> @@ -48,6 +48,8 @@ aix_probe (const PedDevice *dev)
> AixLabel label;
>
> PED_ASSERT (dev != NULL, return 0);
> + if (sizeof (AixLabel) < dev->sector_size)
> + return 0;
>
> if (!ped_device_read (dev, &label, 0, 1))
> return 0;
> @@ -65,7 +67,8 @@ aix_clobber (PedDevice* dev)
> AixLabel label;
>
> PED_ASSERT (dev != NULL, return 0);
> - PED_ASSERT (aix_probe (dev), return 0);
> + if (!aix_probe (dev))
> + return 0;
>
> if (!ped_device_read (dev, &label, 0, 1))
> return 0;
> -----------------------------------------------
>
> The above is similar to what's done in dos.c's msdos_probe:
>
> if (dev->sector_size != 512)
> return 0;
>
> Is it possible to have a DOS or AIX partition on a CDROM with 2048-byte
> logical sectors? (I have no idea) If so, then it might make sense to
DOS, yes. AIX...no clue.
> do what rdb.c's amiga_probe does:
>
> if ((rdb=RDSK(ped_malloc(dev->sector_size)))==NULL)
> return 0;
>
> i.e., rather than simply returning when dev->sector_size is too large
> or != 512, just allocate a buffer of the required size and use that,
> rather than using the fixed-size one on the stack.
I like the approach of allocating the required buffer size instead of
using fixed-size buffers.
Either solution is fine, but I would prefer we go with the ped_malloc()
approach that's used in amiga_probe so we are consistent throughout
libparted.
--
David Cantrell <dcantrell at redhat.com>
Red Hat / Westford, MA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/parted-devel/attachments/20070308/25b004ad/attachment.pgp
More information about the parted-devel
mailing list