Skip to content
Permalink
Browse files Browse the repository at this point in the history
- limit the number of program and section header number of sections t…
…o be

  processed to avoid excessive processing time.
- if a bad note is found, return 0 to stop processing immediately.
  • Loading branch information
zoulasc committed Nov 22, 2014
1 parent 4b2de03 commit b4c0114
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 12 deletions.
24 changes: 16 additions & 8 deletions src/elfclass.h
Expand Up @@ -35,29 +35,37 @@
switch (type) {
#ifdef ELFCORE
case ET_CORE:
phnum = elf_getu16(swap, elfhdr.e_phnum);
if (phnum > MAX_PHNUM)
return toomany(ms, "program", phnum);
flags |= FLAGS_IS_CORE;
if (dophn_core(ms, clazz, swap, fd,
(off_t)elf_getu(swap, elfhdr.e_phoff),
elf_getu16(swap, elfhdr.e_phnum),
(off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
fsize, &flags) == -1)
return -1;
break;
#endif
case ET_EXEC:
case ET_DYN:
phnum = elf_getu16(swap, elfhdr.e_phnum);
if (phnum > MAX_PHNUM)
return toomany(ms, "program", phnum);
shnum = elf_getu16(swap, elfhdr.e_shnum);
if (shnum > MAX_SHNUM)
return toomany(ms, "section", shnum);
if (dophn_exec(ms, clazz, swap, fd,
(off_t)elf_getu(swap, elfhdr.e_phoff),
elf_getu16(swap, elfhdr.e_phnum),
(off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
== -1)
fsize, &flags, shnum) == -1)
return -1;
/*FALLTHROUGH*/
case ET_REL:
shnum = elf_getu16(swap, elfhdr.e_shnum);
if (shnum > MAX_SHNUM)
return toomany(ms, "section", shnum);
if (doshn(ms, clazz, swap, fd,
(off_t)elf_getu(swap, elfhdr.e_shoff),
elf_getu16(swap, elfhdr.e_shnum),
(off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
(size_t)elf_getu16(swap, elfhdr.e_shentsize),
fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
(int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
Expand Down
20 changes: 16 additions & 4 deletions src/readelf.c
Expand Up @@ -27,7 +27,7 @@
#include "file.h"

#ifndef lint
FILE_RCSID("@(#)$File: readelf.c,v 1.103 2014/05/02 02:25:10 christos Exp $")
FILE_RCSID("@(#)$File: readelf.c,v 1.104 2014/10/17 15:49:00 christos Exp $")
#endif

#ifdef BUILTIN_ELF
Expand Down Expand Up @@ -60,6 +60,18 @@ private uint16_t getu16(int, uint16_t);
private uint32_t getu32(int, uint32_t);
private uint64_t getu64(int, uint64_t);

#define MAX_PHNUM 256
#define MAX_SHNUM 1024

private int
toomany(struct magic_set *ms, const char *name, uint16_t num)
{
if (file_printf(ms, ", too many %s header sections (%u)", name, num
) == -1)
return -1;
return 0;
}

private uint16_t
getu16(int swap, uint16_t value)
{
Expand Down Expand Up @@ -499,13 +511,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
if (namesz & 0x80000000) {
(void)file_printf(ms, ", bad note name size 0x%lx",
(unsigned long)namesz);
return offset;
return 0;
}

if (descsz & 0x80000000) {
(void)file_printf(ms, ", bad note description size 0x%lx",
(unsigned long)descsz);
return offset;
return 0;
}


Expand Down Expand Up @@ -1240,7 +1252,7 @@ file_tryelf(struct magic_set *ms, int fd, const unsigned char *buf,
int flags = 0;
Elf32_Ehdr elf32hdr;
Elf64_Ehdr elf64hdr;
uint16_t type;
uint16_t type, phnum, shnum;

if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
return 0;
Expand Down

0 comments on commit b4c0114

Please sign in to comment.