tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fs/zfs/zfs: Fix possible insecure use of chunk size in zap_leaf_array_get()

Browse Source 
In zap_leaf_array_get() the chunk size passed in is considered tainted
by Coverity, and is being used before it is tested for validity. To fix
this the assignment of "la" is moved until after the test of the value
of "chunk".

Fixes: CID 314014

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Darren Kenny 2021-10-26 15:02:39 +00:00 committed by Daniel Kiper
parent b1fae9c1ba
commit bb9ff31641
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
grub-core/fs/zfs/zfs.c
View File

@ -2229,7 +2229,7 @@ zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft,
while (bseen < array_len)
{
struct zap_leaf_array *la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
struct zap_leaf_array *la;
grub_size_t toread = array_len - bseen;
if (toread > ZAP_LEAF_ARRAY_BYTES)
@ -2239,6 +2239,7 @@ zap_leaf_array_get (zap_leaf_phys_t * l, grub_zfs_endian_t endian, int blksft,
/* Don't use grub_error because this error is to be ignored. */
return GRUB_ERR_BAD_FS;
la = &ZAP_LEAF_CHUNK (l, blksft, chunk)->l_array;
grub_memcpy (buf + bseen,la->la_array, toread);
chunk = grub_zfs_to_cpu16 (la->la_next, endian);
bseen += toread;