From c6788cd5614de5925dbd03fec854c9cdfef7556d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 26 Aug 2014 23:54:31 -0400 Subject: [PATCH] sd-journal: verify that object start with the field name If the journal is corrupted, we might return an object that does not start with the expected field name and/or is shorter than it should. (cherry picked from commit 0f99f74a14ef193c1ebde687c5cc76e1d67b85ef) --- src/journal/journal-file.c | 1 - src/journal/sd-journal.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c index 2d79dcee70..db2b77cdef 100644 --- a/src/journal/journal-file.c +++ b/src/journal/journal-file.c @@ -419,7 +419,6 @@ int journal_file_move_to_object(JournalFile *f, int type, uint64_t offset, Objec if (!VALID64(offset)) return -EFAULT; - r = journal_file_move_to(f, type_to_context(type), false, offset, sizeof(ObjectHeader), &t); if (r < 0) return r; diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c index 3840ee486f..311eb815a8 100644 --- a/src/journal/sd-journal.c +++ b/src/journal/sd-journal.c @@ -2598,6 +2598,21 @@ _public_ int sd_journal_enumerate_unique(sd_journal *j, const void **data, size_ if (r < 0) return r; + /* Check if we have at least the field name and "=". */ + if (ol <= k) { + log_debug("%s:offset " OFSfmt ": object has size %zu, expected at least %zu", + j->unique_file->path, j->unique_offset, + ol, k + 1); + return -EBADMSG; + } + + if (memcmp(odata, j->unique_field, k) || ((const char*) odata)[k] != '=') { + log_debug("%s:offset " OFSfmt ": object does not start with \"%s=\"", + j->unique_file->path, j->unique_offset, + j->unique_field); + return -EBADMSG; + } + /* OK, now let's see if we already returned this data * object by checking if it exists in the earlier * traversed files. */