diff options
author | ae <ae@FreeBSD.org> | 2011-06-21 10:35:20 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2011-06-21 10:35:20 +0000 |
commit | c0d149ddb385e3c106d6ec8199c47cdddb57b5cf (patch) | |
tree | 333432a93157fef87acb74884bf4abf7a7e76eaf /sbin/geom/class | |
parent | a8e6967ab3a3ba41bc8f4637e9d5bf715848e8c6 (diff) | |
download | FreeBSD-src-c0d149ddb385e3c106d6ec8199c47cdddb57b5cf.zip FreeBSD-src-c0d149ddb385e3c106d6ec8199c47cdddb57b5cf.tar.gz |
When user specifies the bootcode with size smaller than VTOC_BOOTCODE,
gpart_write_partcode_vtoc8 does access out of range of allocated memory.
Check size of bootcode before writing it.
Pointed out by: ru
MFC after: 1 week
Diffstat (limited to 'sbin/geom/class')
-rw-r--r-- | sbin/geom/class/part/geom_part.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sbin/geom/class/part/geom_part.c b/sbin/geom/class/part/geom_part.c index 389c274..a456911 100644 --- a/sbin/geom/class/part/geom_part.c +++ b/sbin/geom/class/part/geom_part.c @@ -1208,8 +1208,11 @@ gpart_bootcode(struct gctl_req *req, unsigned int fl) if (idx == 0) errx(EXIT_FAILURE, "missing -i option"); gpart_write_partcode(gp, idx, partcode, partsize); - } else + } else { + if (partsize != VTOC_BOOTSIZE) + errx(EXIT_FAILURE, "invalid bootcode"); gpart_write_partcode_vtoc8(gp, idx, partcode); + } } else if (bootcode == NULL) errx(EXIT_FAILURE, "no -b nor -p"); |