A NT_GNU_BUILD_ID with namesz longer than 4 will cause the strncmp() to use bytes in adjacent stringtable entries.
Instead, check for namesz exactly equal to 4, and use memcmp() with an explicit size. Signed-off-by: Andrew Cooper <[email protected]> --- CC: Jan Beulich <[email protected]> CC: Wei Liu <[email protected]> CC: Roger Pau Monné <[email protected]> CC: Stefano Stabellini <[email protected]> CC: Julien Grall <[email protected]> Noticed while auditing Xen's use of strncmp() for the command line patch. --- xen/common/version.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/version.c b/xen/common/version.c index 223cb52..1df7e78 100644 --- a/xen/common/version.c +++ b/xen/common/version.c @@ -97,17 +97,17 @@ int xen_build_id_check(const Elf_Note *n, unsigned int n_sz, if ( NT_GNU_BUILD_ID != n->type ) return -ENODATA; - if ( n->namesz + n->descsz < n->namesz ) + if ( n->namesz != 4 /* GNU\0 */) return -EINVAL; - if ( n->namesz < 4 /* GNU\0 */) + if ( n->namesz + n->descsz < n->namesz ) return -EINVAL; if ( n->namesz + n->descsz > n_sz - sizeof(*n) ) return -EINVAL; /* Sanity check, name should be "GNU" for ld-generated build-id. */ - if ( strncmp(ELFNOTE_NAME(n), "GNU", n->namesz) != 0 ) + if ( memcmp(ELFNOTE_NAME(n), "GNU", 4) != 0 ) return -ENODATA; if ( len ) -- 2.1.4 _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
