sar: Fix insecure data handling

Check values read from file before using.
Fix CID#349504.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>

diff --git a/sa.h b/sa.h
index d2efd670040c8fa38d42e082330dbf2021bf12ad..33ea525df5b8db885ef479cc98cbfc869420d1d4 100644 (file)
--- a/sa.h
+++ b/sa.h
@@ -675,6 +675,8 @@ struct extra_desc {
 #define EXTRA_DESC_ULL_NR      0       /* Nr of unsigned long long in extra_desc structure */
 #define EXTRA_DESC_UL_NR       0       /* Nr of unsigned long in extra_desc structure */
 #define EXTRA_DESC_U_NR                6       /* Nr of [unsigned] int in extra_desc structure */
+#define MAX_EXTRA_NR           8192
+#define MAX_EXTRA_SIZE         1024
 
 /* Record type */
 /*

diff --git a/sa_common.c b/sa_common.c
index b26851bb43d9be3477df9bf2406b030dcdb836d7..8bbe3a661502ce01f4570671cef534f160499725 100644 (file)
--- a/sa_common.c
+++ b/sa_common.c
@@ -1490,6 +1490,14 @@ int skip_extra_struct(int ifd, int endian_mismatch, int arch_64)
                        return -1;
                }
 
+               if ((xtra_d.extra_nr > MAX_EXTRA_NR) || (xtra_d.extra_size > MAX_EXTRA_SIZE)) {
+#ifdef DEBUG
+                       fprintf(stderr, "%s: extra_size=%u extra_nr=%u\n",
+                               __FUNCTION__, xtra_d.extra_size, xtra_d.extra_size);
+#endif
+                       return -1;
+               }
+
                /* Ignore current unknown extra structures */
                for (i = 0; i < xtra_d.extra_nr; i++) {
                        if (lseek(ifd, xtra_d.extra_size, SEEK_CUR) < xtra_d.extra_size)