Prevent integer overflow when allocating memory for NVList data, which could otherwise lead to heap corruption when parsing malformed ZFS metadata.
Signed-off-by: Timo tp Preißl <[email protected]> --- fs/zfs/zfs.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c index 410a61aa611..ee47f222a57 100644 --- a/fs/zfs/zfs.c +++ b/fs/zfs/zfs.c @@ -1617,6 +1617,7 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name) char *ret; size_t size; int found; + size_t alloc; found = nvlist_find_value(nvlist, name, DATA_TYPE_NVLIST, &nvpair, &size, 0); @@ -1627,7 +1628,13 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name) * nvlist to hold the encoding method, and two zero uint32's after the * nvlist as the NULL terminator. */ - ret = calloc(1, size + 3 * sizeof(uint32_t)); + + + if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc)) + return 0; + + ret = calloc(1, alloc) + if (!ret) return 0; memcpy(ret, nvlist, sizeof(uint32_t)); -- 2.43.0
