diff options
author | Otto Moerbeek <otto@cvs.openbsd.org> | 2008-08-12 09:44:27 +0000 |
---|---|---|
committer | Otto Moerbeek <otto@cvs.openbsd.org> | 2008-08-12 09:44:27 +0000 |
commit | 72470cfeb65691eec8b92b74e609412cdc285e18 (patch) | |
tree | 62d0da4789b08f452efb8dab463402fe0b48017d /usr.sbin | |
parent | ea093c833f07cf2166bb61f1f00ddb2289ac865b (diff) |
basic bounds check on elf header info. avoid crashes on i.e.e truncated
kernels; noted by jasper@ ok miod@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/config/exec_elf.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/usr.sbin/config/exec_elf.c b/usr.sbin/config/exec_elf.c index 09e8c37aa7f..c2bb4ab38b9 100644 --- a/usr.sbin/config/exec_elf.c +++ b/usr.sbin/config/exec_elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_elf.c,v 1.10 2004/01/04 18:30:05 deraadt Exp $ */ +/* $OpenBSD: exec_elf.c,v 1.11 2008/08/12 09:44:26 otto Exp $ */ /* * Copyright (c) 1999 Mats O Jansson. All rights reserved. @@ -25,7 +25,7 @@ */ #ifndef LINT -static char rcsid[] = "$OpenBSD: exec_elf.c,v 1.10 2004/01/04 18:30:05 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: exec_elf.c,v 1.11 2008/08/12 09:44:26 otto Exp $"; #endif #include <err.h> @@ -141,9 +141,23 @@ elf_loadkernel(char *file) if (read(fd, elf_total, (size_t)elf_size) != elf_size) errx(1, "can't read elf kernel"); + if (elf_ex.e_phoff > (size_t)elf_size) + errx(1, "incorrect ELF header or truncated file"); + if (elf_ex.e_shoff > (size_t)elf_size) + errx(1, "incorrect ELF header or truncated file"); + elf_phdr = (Elf_Phdr *)&elf_total[elf_ex.e_phoff]; elf_shdr = (Elf_Shdr *)&elf_total[elf_ex.e_shoff]; + if ((char *)&elf_shdr[elf_ex.e_shstrndx] + + sizeof(elf_shdr[elf_ex.e_shstrndx]) >= elf_total + (size_t)elf_size) + errx(1, "incorrect ELF header or truncated file"); + + if ((char *)&elf_shdr[elf_ex.e_shstrndx].sh_offset + + sizeof(elf_shdr[elf_ex.e_shstrndx].sh_offset) >= + elf_total + (size_t)elf_size) + errx(1, "incorrect ELF header or truncated file"); + elf_shstrtab = &elf_total[elf_shdr[elf_ex.e_shstrndx].sh_offset]; close(fd); |