diff options
| author |   jsg <jsg@openbsd.org> | 2017-09-24 08:44:14 +0000 |
|---|---|---|
| committer | jsg <jsg@openbsd.org> | 2017-09-24 08:44:14 +0000 |
| commit | d1d0000f9a67dc8d7c445ca84f8468b0607ec007 (patch) | |
| tree | f4aba2c93bd0dc8415b844e1ab7ac56ab4723ddb /usr.bin/ctfconv/parse.c | |
| parent | fix tunnel forwarding problem introduced in refactor; reported by (diff) | |
| download | wireguard-openbsd-d1d0000f9a67dc8d7c445ca84f8468b0607ec007.tar.xz wireguard-openbsd-d1d0000f9a67dc8d7c445ca84f8468b0607ec007.zip | |
Ignore DW_FORM_strp with size larger than elf section buffer
fixes accessing memory out of bounds that led to a segfault.
Found with afl. ok mpi@
Diffstat (limited to 'usr.bin/ctfconv/parse.c')
| -rw-r--r-- | usr.bin/ctfconv/parse.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/usr.bin/ctfconv/parse.c b/usr.bin/ctfconv/parse.c index e634082ec9f..655b69fd729 100644 --- a/usr.bin/ctfconv/parse.c +++ b/usr.bin/ctfconv/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.5 2017/08/29 21:10:20 deraadt Exp $ */ +/* $OpenBSD: parse.c,v 1.6 2017/09/24 08:44:14 jsg Exp $ */ /* * Copyright (c) 2016-2017 Martin Pieuchot @@ -1298,13 +1298,17 @@ dav2str(struct dwaval *dav) { const char *str = NULL; extern const char *dstrbuf; + extern size_t dstrlen; switch (dav->dav_dat->dat_form) { case DW_FORM_string: str = dav->dav_str; break; case DW_FORM_strp: - str = dstrbuf + dav->dav_u32; + if (dav->dav_u32 >= dstrlen) + str = NULL; + else + str = dstrbuf + dav->dav_u32; break; default: break; |