From: Chunwei Chen <david.chen@nutanix.com>
Date: Thu, 1 Feb 2018 23:41:05 +0000 (-0800)
Subject: Fix zle_decompress out of bound access
X-Git-Tag: zfs-0.7.7~32
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5e566c57726226ceeca09b1eb19cb1c373622763;p=zfs

Fix zle_decompress out of bound access

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: loli10K <ezomori.nozomu@gmail.com>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7099
---

diff --git a/module/zfs/zle.c b/module/zfs/zle.c
index 13c5673fb..613607faa 100644
--- a/module/zfs/zle.c
+++ b/module/zfs/zle.c
@@ -74,10 +74,14 @@ zle_decompress(void *s_start, void *d_start, size_t s_len, size_t d_len, int n)
 	while (src < s_end && dst < d_end) {
 		int len = 1 + *src++;
 		if (len <= n) {
+			if (src + len > s_end || dst + len > d_end)
+				return (-1);
 			while (len-- != 0)
 				*dst++ = *src++;
 		} else {
 			len -= n;
+			if (dst + len > d_end)
+				return (-1);
 			while (len-- != 0)
 				*dst++ = 0;
 		}