Re: [PATCH] uclinux: fix gzip header parsing in binfmt_flat.c
From: Volodymyr G. Lukiianyk
Date: Tue Aug 26 2008 - 13:58:13 EST
There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.
Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@xxxxxxxxx>
---
Sorry for repost, looks like I forgot to remove "--color" when saved diff
attached to the previous e-mail.
I've encountered this off-by-one error when tried to reuse gzip-header-parsing
part of the decompress_exec() function. There was an "original file name" field
in the payload (with miscalculated length) and zlib_inflate() returned
Z_DATA_ERROR. But after the fix similar to this one all worked fine.
WARNING: the proposed patch wasn't properly tested.
diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index dfc0197..ccb781a 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -229,13 +229,13 @@ static int decompress_exec(
ret = 10;
if (buf[3] & EXTRA_FIELD) {
ret += 2 + buf[10] + (buf[11] << 8);
- if (unlikely(LBUFSIZE == ret)) {
+ if (unlikely(LBUFSIZE <= ret)) {
DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n");
goto out_free_buf;
}
}
if (buf[3] & ORIG_NAME) {
- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
+ while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n");
@@ -243,7 +243,7 @@ static int decompress_exec(
}
}
if (buf[3] & COMMENT) {
- for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
+ while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");