From: Russ Allbery <rra@stanford.edu>
Date: Sat, 29 Jun 2013 21:27:55 +0000 (-0700)
Subject: Fix restorevol crash on corrupt nDumpTimes value
X-Git-Tag: upstream/1.6.17^2~54
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=c2005f1ff0052c3a77c39349551441962c100278;p=packages%2Fo%2Fopenafs.git

Fix restorevol crash on corrupt nDumpTimes value

If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit d5fb2c2bdccedbd539cb2629cf918d5f37b82c7b)

Change-Id: I0b4718afd3c3330581ce5da875f9f8a83fe6b132
Reviewed-on: http://gerrit.openafs.org/11553
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---

diff --git a/src/volser/restorevol.c b/src/volser/restorevol.c
index 003f3196f..ea3c64f7f 100644
--- a/src/volser/restorevol.c
+++ b/src/volser/restorevol.c
@@ -171,6 +171,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
 	case 't':
 	    dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+	    if (dh->nDumpTimes > MAXDUMPTIMES) {
+		fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+			dh->nDumpTimes, MAXDUMPTIMES);
+		dh->nDumpTimes = MAXDUMPTIMES;
+	    }
 	    for (i = 0; i < dh->nDumpTimes; i++) {
 		dh->dumpTimes[i].from = ntohl(readvalue(4));
 		dh->dumpTimes[i].to = ntohl(readvalue(4));