[src/trunk]: src/sys/dev/dkwedge Fix buffer overflow. Triggerable by plugging...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9ebff7100035
branches:  trunk
changeset: 452204:9ebff7100035
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Jun 22 06:45:46 2019 +0000

description:
Fix buffer overflow. Triggerable by plugging a specially-crafted USB key
in the machine (the kernel automatically tries to parse its GPT header).
The check could maybe be appeased to allow bigger sizes, but we've never
done that, so I'm leaving it as-is.

diffstat:

 sys/dev/dkwedge/dkwedge_gpt.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r 68f68434e04f -r 9ebff7100035 sys/dev/dkwedge/dkwedge_gpt.c
--- a/sys/dev/dkwedge/dkwedge_gpt.c     Sat Jun 22 04:45:04 2019 +0000
+++ b/sys/dev/dkwedge/dkwedge_gpt.c     Sat Jun 22 06:45:46 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $ */
+/*     $NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $    */
 
 /*-
  * Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -175,7 +175,7 @@
 
        entries = le32toh(hdr->hdr_entries);
        entsz = roundup(le32toh(hdr->hdr_entsz), 8);
-       if (entsz > roundup(sizeof(struct gpt_ent), 8)) {
+       if (entsz != sizeof(struct gpt_ent)) {
                aprint_error("%s: bogus GPT entry size: %u\n",
                    pdk->dk_name, le32toh(hdr->hdr_entsz));
                error = EINVAL;