1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

sd-journal: check .next_entry_array_offset earlier

Then, if it is invalid, refuse to use the entry array object.

Follow-up for a8fbcc0e3c.
Fixes #27489.
This commit is contained in:
Yu Watanabe 2023-05-03 01:29:08 +09:00
parent 845824acdd
commit b5335da7a5

View File

@ -924,7 +924,7 @@ static int check_object(JournalFile *f, Object *o, uint64_t offset) {
} }
case OBJECT_ENTRY_ARRAY: { case OBJECT_ENTRY_ARRAY: {
uint64_t sz; uint64_t sz, next;
sz = le64toh(READ_NOW(o->object.size)); sz = le64toh(READ_NOW(o->object.size));
if (sz < offsetof(Object, entry_array.items) || if (sz < offsetof(Object, entry_array.items) ||
@ -934,11 +934,12 @@ static int check_object(JournalFile *f, Object *o, uint64_t offset) {
"Invalid object entry array size: %" PRIu64 ": %" PRIu64, "Invalid object entry array size: %" PRIu64 ": %" PRIu64,
sz, sz,
offset); offset);
/* Here, we request that the offset of each entry array object is in strictly increasing order. */
if (!VALID64(le64toh(o->entry_array.next_entry_array_offset))) next = le64toh(o->entry_array.next_entry_array_offset);
if (!VALID64(next) || (next > 0 && next <= offset))
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
"Invalid object entry array next_entry_array_offset: " OFSfmt ": %" PRIu64, "Invalid object entry array next_entry_array_offset: %" PRIu64 ": %" PRIu64,
le64toh(o->entry_array.next_entry_array_offset), next,
offset); offset);
break; break;