From 8fb2868c61a0ecdab93074151bda8b6e5adef491 Mon Sep 17 00:00:00 2001 From: "Andrey V. Elsukov" Date: Tue, 21 Jun 2011 10:35:20 +0000 Subject: [PATCH] When user specifies the bootcode with size smaller than VTOC_BOOTCODE, gpart_write_partcode_vtoc8 does access out of range of allocated memory. Check size of bootcode before writing it. Pointed out by: ru MFC after: 1 week --- sbin/geom/class/part/geom_part.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sbin/geom/class/part/geom_part.c b/sbin/geom/class/part/geom_part.c index 389c274dbfeb..a4569119e538 100644 --- a/sbin/geom/class/part/geom_part.c +++ b/sbin/geom/class/part/geom_part.c @@ -1208,8 +1208,11 @@ gpart_bootcode(struct gctl_req *req, unsigned int fl) if (idx == 0) errx(EXIT_FAILURE, "missing -i option"); gpart_write_partcode(gp, idx, partcode, partsize); - } else + } else { + if (partsize != VTOC_BOOTSIZE) + errx(EXIT_FAILURE, "invalid bootcode"); gpart_write_partcode_vtoc8(gp, idx, partcode); + } } else if (bootcode == NULL) errx(EXIT_FAILURE, "no -b nor -p");