From d5fb2c2bdccedbd539cb2629cf918d5f37b82c7b Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Sat, 29 Jun 2013 14:27:55 -0700
Subject: [PATCH] Fix restorevol crash on corrupt nDumpTimes value

If the number of dump times claimed in the volume header was greater
than MAXDUMPTIMES, restorevol would happily write over random stack
memory and crash.  Sanity-check the loaded value and cap it to
MAXDUMPTIMES with a warning.

Bug found by Mayhem and reported by Alexandre Rebert.

Change-Id: Ib0edd9b1b6f540d8b0128151333d3bb0a8ef37fa
Reviewed-on: http://gerrit.openafs.org/10025
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
---
 src/volser/restorevol.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/volser/restorevol.c b/src/volser/restorevol.c
index 653a6ace2..f4a54b7bb 100644
--- a/src/volser/restorevol.c
+++ b/src/volser/restorevol.c
@@ -162,6 +162,11 @@ ReadDumpHeader(struct DumpHeader *dh)
 
 	case 't':
 	    dh->nDumpTimes = ntohl(readvalue(2)) >> 1;
+	    if (dh->nDumpTimes > MAXDUMPTIMES) {
+		fprintf(stderr, "Too many dump times in header (%d > %d)\n",
+			dh->nDumpTimes, MAXDUMPTIMES);
+		dh->nDumpTimes = MAXDUMPTIMES;
+	    }
 	    for (i = 0; i < dh->nDumpTimes; i++) {
 		dh->dumpTimes[i].from = ntohl(readvalue(4));
 		dh->dumpTimes[i].to = ntohl(readvalue(4));
-- 
2.39.5