From c2005f1ff0052c3a77c39349551441962c100278 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Sat, 29 Jun 2013 14:27:55 -0700
Subject: [PATCH] Fix restorevol crash on corrupt nDumpTimes value

If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit d5fb2c2bdccedbd539cb2629cf918d5f37b82c7b)

Change-Id: I0b4718afd3c3330581ce5da875f9f8a83fe6b132
Reviewed-on: http://gerrit.openafs.org/11553
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/volser/restorevol.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/volser/restorevol.c b/src/volser/restorevol.c
index 003f3196f..ea3c64f7f 100644
--- a/src/volser/restorevol.c
+++ b/src/volser/restorevol.c
@@ -171,6 +171,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
 	case 't':
 	    dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+	    if (dh->nDumpTimes > MAXDUMPTIMES) {
+		fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+			dh->nDumpTimes, MAXDUMPTIMES);
+		dh->nDumpTimes = MAXDUMPTIMES;
+	    }
 	    for (i = 0; i < dh->nDumpTimes; i++) {
 		dh->dumpTimes[i].from = ntohl(readvalue(4));
 		dh->dumpTimes[i].to = ntohl(readvalue(4));
-- 
2.39.5