git: c291b7914e1d - main - tarfs: Avoid overflow in exthdr calculation.

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Wed, 06 Mar 2024 16:24:31 UTC

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=c291b7914e1db9469cc820abcb1f5dde7a6f7f28

commit c291b7914e1db9469cc820abcb1f5dde7a6f7f28
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2024-03-06 16:13:54 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2024-03-06 16:13:54 +0000

    tarfs: Avoid overflow in exthdr calculation.
    
    MFC after:      3 days
    PR:             277420
    Sponsored by:   Juniper Networks, Inc.
    Sponsored by:   Klara, Inc.
    Reviewed by:    kib
    Differential Revision:  https://reviews.freebsd.org/D44202
---
 sys/fs/tarfs/tarfs_vfsops.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/fs/tarfs/tarfs_vfsops.c b/sys/fs/tarfs/tarfs_vfsops.c
index df8ad240d032..05014bf10373 100644
--- a/sys/fs/tarfs/tarfs_vfsops.c
+++ b/sys/fs/tarfs/tarfs_vfsops.c
@@ -583,7 +583,8 @@ again:
 				error = EINVAL;
 				goto bad;
 			}
-			if (line + len > exthdr + sz) {
+			if ((uintptr_t)line + len < (uintptr_t)line ||
+			    line + len > exthdr + sz) {
 				TARFS_DPF(ALLOC, "%s: exthdr overflow\n",
 				    __func__);
 				error = EINVAL;