svn commit: r358639 - head/contrib/elftoolchain/readelf

Ed Maste emaste at FreeBSD.org
Wed Mar 4 20:41:46 UTC 2020 

Author: emaste
Date: Wed Mar  4 20:41:45 2020
New Revision: 358639
URL: https://svnweb.freebsd.org/changeset/base/358639

Log:
  readelf: simplify namesz / descsz checks
  
  MFC after:	3 days
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/contrib/elftoolchain/readelf/readelf.c

Modified: head/contrib/elftoolchain/readelf/readelf.c
==============================================================================
--- head/contrib/elftoolchain/readelf/readelf.c	Wed Mar  4 20:30:11 2020	(r358638)
+++ head/contrib/elftoolchain/readelf/readelf.c	Wed Mar  4 20:41:45 2020	(r358639)
@@ -3728,6 +3728,7 @@ dump_notes_content(struct readelf *re, const char *buf
 {
 	Elf_Note *note;
 	const char *end, *name;
+	uint32_t namesz, descsz;
 
 	printf("\nNotes at offset %#010jx with length %#010jx:\n",
 	    (uintmax_t) off, (uintmax_t) sz);
@@ -3739,13 +3740,16 @@ dump_notes_content(struct readelf *re, const char *buf
 			return;
 		}
 		note = (Elf_Note *)(uintptr_t) buf;
-		buf += sizeof(Elf_Note);
-		if (buf + roundup2(note->n_namesz, 4) > end) {
-			warnx("invalid note header name");
+		namesz = roundup2(note->n_namesz, 4);
+		descsz = roundup2(note->n_descsz, 4);
+		if (namesz < note->n_namesz || descsz < note->n_descsz ||
+		    buf + namesz + descsz > end) {
+			warnx("invalid note header");
 			return;
 		}
+		buf += sizeof(Elf_Note);
 		name = buf;
-		buf += roundup2(note->n_namesz, 4);
+		buf += namesz;
 		/*
 		 * The name field is required to be nul-terminated, and
 		 * n_namesz includes the terminating nul in observed
@@ -3763,12 +3767,8 @@ dump_notes_content(struct readelf *re, const char *buf
 		printf("  %-13s %#010jx", name, (uintmax_t) note->n_descsz);
 		printf("      %s\n", note_type(name, re->ehdr.e_type,
 		    note->n_type));
-		if (buf + roundup2(note->n_descsz, 4) > end) {
-			warnx("invalid note header desc");
-			return;
-		}
 		dump_notes_data(re, name, note->n_type, buf, note->n_descsz);
-		buf += roundup2(note->n_descsz, 4);
+		buf += descsz;
 	}
 }

More information about the svn-src-all mailing list