From 7762e02b172913e8af82f6ba013487527413be84 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 10 Sep 2012 11:58:00 +0200 Subject: journald: detect invalid header pointers correctly --- src/journal/journal-file.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c index 06de2acc50..c8193baa3b 100644 --- a/src/journal/journal-file.c +++ b/src/journal/journal-file.c @@ -221,10 +221,16 @@ static int journal_file_verify_header(JournalFile *f) { if (le64toh(f->header->tail_object_offset) > (le64toh(f->header->header_size) + le64toh(f->header->arena_size))) return -ENODATA; - if (!VALID64(f->header->data_hash_table_offset) || - !VALID64(f->header->field_hash_table_offset) || - !VALID64(f->header->tail_object_offset) || - !VALID64(f->header->entry_array_offset)) + if (!VALID64(le64toh(f->header->data_hash_table_offset)) || + !VALID64(le64toh(f->header->field_hash_table_offset)) || + !VALID64(le64toh(f->header->tail_object_offset)) || + !VALID64(le64toh(f->header->entry_array_offset))) + return -ENODATA; + + if (le64toh(f->header->data_hash_table_offset) < le64toh(f->header->header_size) || + le64toh(f->header->field_hash_table_offset) < le64toh(f->header->header_size) || + le64toh(f->header->tail_object_offset) < le64toh(f->header->header_size) || + le64toh(f->header->entry_array_offset) < le64toh(f->header->header_size)) return -ENODATA; if (f->writable) { @@ -323,6 +329,9 @@ static int journal_file_move_to(JournalFile *f, int context, bool keep_always, u assert(f); assert(ret); + if (size <= 0) + return -EINVAL; + /* Avoid SIGBUS on invalid accesses */ if (offset + size > (uint64_t) f->last_stat.st_size) { /* Hmm, out of range? Let's refresh the fstat() data -- cgit v1.2.3-54-g00ecf