diff options
author | Dan McDonald <[email protected]> | 2014-06-23 22:25:02 -0400 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2014-07-01 14:10:47 -0700 |
commit | ee4712284cd6c0532b6fb78e23a3799f4ccdd675 (patch) | |
tree | 6688b30a21e60a276ed1f6fd2968f6bc82d2564f /module | |
parent | 4240dc332d2ca41c31d95a81d9217c1b311666ff (diff) |
Illumos #4936 fix potential overflow in lz4
4936 lz4 could theoretically overflow a pointer with a certain input
Reviewed by: Saso Kiselkov <[email protected]>
Reviewed by: Keith Wesolowski <[email protected]>
Approved by: Gordon Ross <[email protected]>
Ported by: Tim Chase <[email protected]>
References:
https://illumos.org/issues/4936
https://github.com/illumos/illumos-gate/commit/58d0718
Porting notes:
This fixes the widely-reported "20-year-old vulnerability" in
LZO/LZ4 implementations which inherited said bug from the reference
implementation.
Signed-off-by: Richard Yao <[email protected]>
Signed-off-by: Tim Chase <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #2429
Diffstat (limited to 'module')
-rw-r--r-- | module/zfs/lz4.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/module/zfs/lz4.c b/module/zfs/lz4.c index 497296e35..5c3c6cdb1 100644 --- a/module/zfs/lz4.c +++ b/module/zfs/lz4.c @@ -907,6 +907,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize, } /* copy literals */ cpy = op + length; + /* CORNER-CASE: cpy might overflow. */ + if (cpy < op) + goto _output_error; /* cpy was overflowed, bail! */ if ((cpy > oend - COPYLENGTH) || (ip + length > iend - COPYLENGTH)) { if (cpy > oend) |