From: Jan Kiszka <
jan.k...@siemens.com>
If the len field is smaller than the minimal size (len + type), reject
the env as invalid. This avoids returning a bogus size from
ebg_env_get[_ex], caused by an overflow of the size calculation in
bgenv_map_uservar.
The impact of returning such an invalid size, though, was not critical
because either the caller detected that size as invalid itself or failed
to allocate that much memory as buffer. If both was not the case, the
worst case would have been asking ebg_env_get[_ex] to read beyond the
normal internal buffers, likely either crashing the application, but
never revealing anything that wasn't accessible anyway.
Reported-by: Yuval Fradkin <
yuvalf...@gmail.com>
Reported-by: Codex Security
Signed-off-by: Jan Kiszka <
jan.k...@siemens.com>
---
env/uservars.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/env/uservars.c b/env/uservars.c
index d7f4bbe..6178eaf 100644
--- a/env/uservars.c
+++ b/env/uservars.c
@@ -93,6 +93,11 @@ bool bgenv_validate_uservars(uint8_t *udata)
uint32_t payload_size;
memcpy(&payload_size, udata, sizeof(payload_size));
+ /* the payload must not be smaller than the minimal fields */
+ if (payload_size < sizeof(uint32_t) + sizeof(uint64_t)) {
+ return false;
+ }
+
/* the payload must leave at least one byte free */
if (payload_size >= spaceleft) {
return false;
--
2.47.3