blob: Verify parsing does not run off end of page

Change-Id: I2663e0518705ffd23afbb69c7ae5bf5aff001c85 Signed-off-by: Ben Walker <benjamin.walker@intel.com>
2017-03-28 16:17:54 -07:00 · 2017-03-28 16:17:54 -07:00 · 97b3efa349
commit 97b3efa349
parent 0b89cff2ea
2 changed files with 5 additions and 2 deletions
--- a/lib/blob/blobstore.c
+++ b/lib/blob/blobstore.c
@ -249,8 +249,11 @@ _spdk_blob_parse_page(const struct spdk_blob_md_page *page, struct spdk_blob *bl
 		}

 		/* Advance to the next descriptor */
-		desc = (struct spdk_blob_md_descriptor *)((uintptr_t)desc + sizeof(*desc) + desc->length);
 		cur_desc += sizeof(*desc) + desc->length;
+		if (cur_desc + sizeof(*desc) > sizeof(page->descriptors)) {
+			break;
+		}
+		desc = (struct spdk_blob_md_descriptor *)((uintptr_t)page->descriptors + cur_desc);
 	}
 }

--- a/lib/blob/blobstore.h
+++ b/lib/blob/blobstore.h
@ -217,7 +217,7 @@ struct spdk_blob_md_page {
 	uint32_t	reserved0;

 	/* Descriptors here */
-	uint64_t	descriptors[509];
+	uint8_t		descriptors[4072];

 	uint32_t	next;
 	uint32_t	crc;