diff options
author | Volodymyr G. Lukiianyk <volodymyrgl@gmail.com> | 2008-10-16 01:01:15 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-10-16 14:21:29 -0400 |
commit | f4cfb18d7917ecb397b3497e931a2a23175709b7 (patch) | |
tree | bb891b0f478e2ed7fa9dcefacc0b8342ce1b43d6 | |
parent | 0c6aa2639ea83bfb7f91d72118bad70b3f60012a (diff) |
uclinux: fix gzip header parsing in binfmt_flat.c
There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.
I've encountered this off-by-one error when tried to reuse
gzip-header-parsing part of the decompress_exec() function. There was an
"original file name" field in the payload (with miscalculated length) and
zlib_inflate() returned Z_DATA_ERROR. But after the fix similar to this
one all worked fine.
Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@gmail.com>
Acked-by: Greg Ungerer <gerg@snapgear.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/binfmt_flat.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index dfc0197905ca..ccb781a6a804 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c | |||
@@ -229,13 +229,13 @@ static int decompress_exec( | |||
229 | ret = 10; | 229 | ret = 10; |
230 | if (buf[3] & EXTRA_FIELD) { | 230 | if (buf[3] & EXTRA_FIELD) { |
231 | ret += 2 + buf[10] + (buf[11] << 8); | 231 | ret += 2 + buf[10] + (buf[11] << 8); |
232 | if (unlikely(LBUFSIZE == ret)) { | 232 | if (unlikely(LBUFSIZE <= ret)) { |
233 | DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n"); | 233 | DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n"); |
234 | goto out_free_buf; | 234 | goto out_free_buf; |
235 | } | 235 | } |
236 | } | 236 | } |
237 | if (buf[3] & ORIG_NAME) { | 237 | if (buf[3] & ORIG_NAME) { |
238 | for (; ret < LBUFSIZE && (buf[ret] != 0); ret++) | 238 | while (ret < LBUFSIZE && buf[ret++] != 0) |
239 | ; | 239 | ; |
240 | if (unlikely(LBUFSIZE == ret)) { | 240 | if (unlikely(LBUFSIZE == ret)) { |
241 | DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n"); | 241 | DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n"); |
@@ -243,7 +243,7 @@ static int decompress_exec( | |||
243 | } | 243 | } |
244 | } | 244 | } |
245 | if (buf[3] & COMMENT) { | 245 | if (buf[3] & COMMENT) { |
246 | for (; ret < LBUFSIZE && (buf[ret] != 0); ret++) | 246 | while (ret < LBUFSIZE && buf[ret++] != 0) |
247 | ; | 247 | ; |
248 | if (unlikely(LBUFSIZE == ret)) { | 248 | if (unlikely(LBUFSIZE == ret)) { |
249 | DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n"); | 249 | DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n"); |