Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Apr 2015 13:04:51 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r282144 - head/usr.sbin/crunch/crunchide
Message-ID:  <201504281304.t3SD4pLU069782@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Tue Apr 28 13:04:51 2015
New Revision: 282144
URL: https://svnweb.freebsd.org/changeset/base/282144

Log:
  crunchide: add basic string table sanity checks
  
  Reported by:	Coverity Scan
  CID:		978805, 980919
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/usr.sbin/crunch/crunchide/exec_elf32.c

Modified: head/usr.sbin/crunch/crunchide/exec_elf32.c
==============================================================================
--- head/usr.sbin/crunch/crunchide/exec_elf32.c	Tue Apr 28 12:52:08 2015	(r282143)
+++ head/usr.sbin/crunch/crunchide/exec_elf32.c	Tue Apr 28 13:04:51 2015	(r282144)
@@ -321,11 +321,14 @@ ELFNAMEEND(hide)(int fd, const char *fn)
 	 */
 
 	/* load section string table for debug use */
-	if ((shstrtabp = xmalloc(xewtoh(shstrtabshdr->sh_size), fn,
-	    "section string table")) == NULL)
+	if ((size = xewtoh(shstrtabshdr->sh_size)) == 0)
+		goto bad;
+	if ((shstrtabp = xmalloc(size, fn, "section string table")) == NULL)
 		goto bad;
 	if ((size_t)xreadatoff(fd, shstrtabp, xewtoh(shstrtabshdr->sh_offset),
-	    xewtoh(shstrtabshdr->sh_size), fn) != xewtoh(shstrtabshdr->sh_size))
+	    size, fn) != size)
+		goto bad;
+	if (shstrtabp[size - 1] != '\0')
 		goto bad;
 
 	/* we need symtab, strtab, and everything behind strtab */
@@ -346,7 +349,8 @@ ELFNAMEEND(hide)(int fd, const char *fn)
 			strtabidx = i;
 		if (layoutp[i].shdr == symtabshdr || i >= strtabidx) {
 			off = xewtoh(layoutp[i].shdr->sh_offset);
-			size = xewtoh(layoutp[i].shdr->sh_size);
+			if ((size = xewtoh(layoutp[i].shdr->sh_size)) == 0)
+				goto bad;
 			layoutp[i].bufp = xmalloc(size, fn,
 			    shstrtabp + xewtoh(layoutp[i].shdr->sh_name));
 			if (layoutp[i].bufp == NULL)
@@ -356,10 +360,13 @@ ELFNAMEEND(hide)(int fd, const char *fn)
 				goto bad;
 
 			/* set symbol table and string table */
-			if (layoutp[i].shdr == symtabshdr)
+			if (layoutp[i].shdr == symtabshdr) {
 				symtabp = layoutp[i].bufp;
-			else if (layoutp[i].shdr == strtabshdr)
+			} else if (layoutp[i].shdr == strtabshdr) {
 				strtabp = layoutp[i].bufp;
+				if (strtabp[size - 1] != '\0')
+					goto bad;
+			}
 		}
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504281304.t3SD4pLU069782>