From a7230ec76fc7e37b90e35eb4ec550e51a10458d3 Mon Sep 17 00:00:00 2001 From: Christine Caulfield Date: Wed, 24 Feb 2021 09:26:16 +0000 Subject: [PATCH] blackbox: Sanitize items read from the blackbox header covscan complained we don't check the blackbox header when reading it in. (quite reasonably) --- lib/ringbuffer.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/ringbuffer.c b/lib/ringbuffer.c index b0fc79826..aa6f4cf30 100644 --- a/lib/ringbuffer.c +++ b/lib/ringbuffer.c @@ -144,7 +144,7 @@ qb_rb_open_2(const char *name, size_t size, uint32_t flags, page_size = QB_MAX(page_size, 16 * 1024); #endif /* QB_FORCE_SHM_ALIGN */ /* The user of this api expects the 'size' parameter passed into this function - * to be reflective of the max size single write we can do to the + * to be reflective of the max size single write we can do to the * ringbuffer. This means we have to add both the 'margin' space used * to calculate if there is enough space for a new chunk as well as the '+1' that * prevents overlap of the read/write pointers */ @@ -798,11 +798,17 @@ qb_rb_create_from_file(int32_t fd, uint32_t flags) uint32_t version = 0; uint32_t hash = 0; uint32_t calculated_hash = 0; + struct stat st; if (fd < 0) { return NULL; } + if (fstat(fd, &st)) { + qb_util_perror(LOG_ERR, "Unable to stat blackbox file"); + return NULL; + } + /* * 1. word size */ @@ -814,6 +820,11 @@ qb_rb_create_from_file(int32_t fd, uint32_t flags) } total_read += n_read; + if (word_size > (st.st_size / sizeof(uint32_t))) { + qb_util_perror(LOG_ERR, "Invalid word size read from blackbox header"); + return NULL; + } + /* * 2. 3. read & write pointers */ @@ -824,6 +835,10 @@ qb_rb_create_from_file(int32_t fd, uint32_t flags) n_read = read(fd, &read_pt, sizeof(uint32_t)); assert(n_read == sizeof(uint32_t)); total_read += n_read; + if (write_pt > st.st_size || read_pt > st.st_size) { + qb_util_perror(LOG_ERR, "Invalid pointers read from blackbox header"); + return NULL; + } /* * 4. version @@ -836,6 +851,11 @@ qb_rb_create_from_file(int32_t fd, uint32_t flags) } total_read += n_read; + if (version != QB_RB_FILE_HEADER_VERSION) { + qb_util_perror(LOG_ERR, "Invalid version read from blackbox header"); + return NULL; + } + /* * 5. Hash */