From 97b3efa34929da20e2eaf9033067610019891ecd Mon Sep 17 00:00:00 2001
From: Ben Walker <benjamin.walker@intel.com>
Date: Tue, 28 Mar 2017 16:17:54 -0700
Subject: [PATCH] blob: Verify parsing does not run off end of page

Change-Id: I2663e0518705ffd23afbb69c7ae5bf5aff001c85
Signed-off-by: Ben Walker <benjamin.walker@intel.com>
---
 lib/blob/blobstore.c | 5 ++++-
 lib/blob/blobstore.h | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/blob/blobstore.c b/lib/blob/blobstore.c
index 673e45948..293096422 100644
--- a/lib/blob/blobstore.c
+++ b/lib/blob/blobstore.c
@@ -249,8 +249,11 @@ _spdk_blob_parse_page(const struct spdk_blob_md_page *page, struct spdk_blob *bl
 		}
 
 		/* Advance to the next descriptor */
-		desc = (struct spdk_blob_md_descriptor *)((uintptr_t)desc + sizeof(*desc) + desc->length);
 		cur_desc += sizeof(*desc) + desc->length;
+		if (cur_desc + sizeof(*desc) > sizeof(page->descriptors)) {
+			break;
+		}
+		desc = (struct spdk_blob_md_descriptor *)((uintptr_t)page->descriptors + cur_desc);
 	}
 }
 
diff --git a/lib/blob/blobstore.h b/lib/blob/blobstore.h
index fdc2baffd..1977a483a 100644
--- a/lib/blob/blobstore.h
+++ b/lib/blob/blobstore.h
@@ -217,7 +217,7 @@ struct spdk_blob_md_page {
 	uint32_t	reserved0;
 
 	/* Descriptors here */
-	uint64_t	descriptors[509];
+	uint8_t		descriptors[4072];
 
 	uint32_t	next;
 	uint32_t	crc;