[src/trunk]: src/sys/dev/dkwedge Fix buffer overflow. Triggerable by plugging...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d00c43002cea
branches:  trunk
changeset: 999874:d00c43002cea
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Jun 22 06:45:46 2019 +0000

description:
Fix buffer overflow. Triggerable by plugging a specially-crafted USB key
in the machine (the kernel automatically tries to parse its GPT header).
The check could maybe be appeased to allow bigger sizes, but we've never
done that, so I'm leaving it as-is.

diffstat:

 sys/dev/dkwedge/dkwedge_gpt.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r c1e809f82160 -r d00c43002cea sys/dev/dkwedge/dkwedge_gpt.c
--- a/sys/dev/dkwedge/dkwedge_gpt.c     Sat Jun 22 04:45:04 2019 +0000
+++ b/sys/dev/dkwedge/dkwedge_gpt.c     Sat Jun 22 06:45:46 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $ */
+/*     $NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $    */
 
 /*-
  * Copyright (c) 2004 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.22 2019/04/10 15:19:15 mlelstv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dkwedge_gpt.c,v 1.23 2019/06/22 06:45:46 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -175,7 +175,7 @@
 
        entries = le32toh(hdr->hdr_entries);
        entsz = roundup(le32toh(hdr->hdr_entsz), 8);
-       if (entsz > roundup(sizeof(struct gpt_ent), 8)) {
+       if (entsz != sizeof(struct gpt_ent)) {
                aprint_error("%s: bogus GPT entry size: %u\n",
                    pdk->dk_name, le32toh(hdr->hdr_entsz));
                error = EINVAL;