Fix restorevol crash on corrupt nDumpTimes value

If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit d5fb2c2bdccedbd539cb2629cf918d5f37b82c7b)

Change-Id: I0b4718afd3c3330581ce5da875f9f8a83fe6b132
Reviewed-on: http://gerrit.openafs.org/11553
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/volser/restorevol.c b/src/volser/restorevol.c
index 003f3196f88a6321ae1a0f08b2e55481cf83ea29..ea3c64f7f84bec60de22817e7e2fa6c974f9315d 100644 (file)
--- a/src/volser/restorevol.c
+++ b/src/volser/restorevol.c
@@ -171,6 +171,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
        case 't':
            dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+           if (dh->nDumpTimes > MAXDUMPTIMES) {
+               fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+                       dh->nDumpTimes, MAXDUMPTIMES);
+               dh->nDumpTimes = MAXDUMPTIMES;
+           }
            for (i = 0; i < dh->nDumpTimes; i++) {
                dh->dumpTimes[i].from = ntohl(readvalue(4));
                dh->dumpTimes[i].to = ntohl(readvalue(4));