[parted-devel] aix.c: Avoid memory overrun. Don't assume logical sector size <= 512B

David Cantrell dcantrell at redhat.com
Thu Mar 8 16:11:29 CET 2007 

On Thu, 2007-03-08 at 15:43 +0100, Jim Meyering wrote:
> Here's a fix for the first memory overrun bug I found:
> 
> 	aix.c: Avoid memory overrun.  Don't assume logical sector size <= 512B
> 	* libparted/labels/aix.c (aix_probe): Return 0 if the
> 	sector size is larger than our AixLabel size.
> 	(aix_clobber): Rather than PED_ASSERT'ing that aix_probe returns 1,
> 	simply return 0 if aix_probe returns fails.
> 
> diff --git a/libparted/labels/aix.c b/libparted/labels/aix.c
> index a16ead4..9e2a7bb 100644
> --- a/libparted/labels/aix.c
> +++ b/libparted/labels/aix.c
> @@ -48,6 +48,8 @@ aix_probe (const PedDevice *dev)
>  	AixLabel	label;
> 
>  	PED_ASSERT (dev != NULL, return 0);
> +	if (sizeof (AixLabel) < dev->sector_size)
> +		return 0;
> 
>  	if (!ped_device_read (dev, &label, 0, 1))
>  		return 0;
> @@ -65,7 +67,8 @@ aix_clobber (PedDevice* dev)
>  	AixLabel label;
> 
>  	PED_ASSERT (dev != NULL, return 0);
> -	PED_ASSERT (aix_probe (dev), return 0);
> +	if (!aix_probe (dev))
> +		return 0;
> 
>  	if (!ped_device_read (dev, &label, 0, 1))
>  		return 0;
> -----------------------------------------------
> 
> The above is similar to what's done in dos.c's msdos_probe:
> 
>         if (dev->sector_size != 512)
>                 return 0;
> 
> Is it possible to have a DOS or AIX partition on a CDROM with 2048-byte
> logical sectors?  (I have no idea)  If so, then it might make sense to

DOS, yes.  AIX...no clue.

> do what rdb.c's amiga_probe does:
> 
> 	if ((rdb=RDSK(ped_malloc(dev->sector_size)))==NULL)
> 		return 0;
> 
> i.e., rather than simply returning when dev->sector_size is too large
> or != 512, just allocate a buffer of the required size and use that,
> rather than using the fixed-size one on the stack.

I like the approach of allocating the required buffer size instead of
using fixed-size buffers.

Either solution is fine, but I would prefer we go with the ped_malloc()
approach that's used in amiga_probe so we are consistent throughout
libparted.

-- 
David Cantrell <dcantrell at redhat.com>
Red Hat / Westford, MA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/parted-devel/attachments/20070308/25b004ad/attachment.pgp

More information about the parted-devel mailing list