uclinux: fix gzip header parsing in binfmt_flat.c

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.

I've encountered this off-by-one error when tried to reuse
gzip-header-parsing part of the decompress_exec() function. There was an
"original file name" field in the payload (with miscalculated length) and
zlib_inflate() returned Z_DATA_ERROR. But after the fix similar to this
one all worked fine.

Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@gmail.com>
Acked-by: Greg Ungerer <gerg@snapgear.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Volodymyr G. Lukiianyk and committed by

Linus Torvalds 17 years ago f4cfb18d 0c6aa263

+3 -3

1 changed file

expand all

binfmt_flat.c

+3 -3

fs/binfmt_flat.c

··· 229 229 ret = 10; 230 230 if (buf[3] & EXTRA_FIELD) { 231 231 ret += 2 + buf[10] + (buf[11] << 8); 232 - if (unlikely(LBUFSIZE == ret)) { 232 + if (unlikely(LBUFSIZE <= ret)) { 233 233 DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n"); 234 234 goto out_free_buf; 235 235 } 236 236 } 237 237 if (buf[3] & ORIG_NAME) { 238 - for (; ret < LBUFSIZE && (buf[ret] != 0); ret++) 238 + while (ret < LBUFSIZE && buf[ret++] != 0) 239 239 ; 240 240 if (unlikely(LBUFSIZE == ret)) { 241 241 DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n"); ··· 243 243 } 244 244 } 245 245 if (buf[3] & COMMENT) { 246 - for (; ret < LBUFSIZE && (buf[ret] != 0); ret++) 246 + while (ret < LBUFSIZE && buf[ret++] != 0) 247 247 ; 248 248 if (unlikely(LBUFSIZE == ret)) { 249 249 DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");