Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-01-18 20:03:47 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

* Fix some out of range index accesses in elf parsing

Browse Source 
- Thanks Ripe for reporting
This commit is contained in:
pancake 2011-06-03 11:16:08 +02:00
parent ac0748de51
commit a6e46f4d2a
2 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libr/bin/format/elf/elf.c
View File

@ -1,5 +1,5 @@
/* radare - LGPL - Copyright 2008-2011 nibble<.ds@gmail.com> */
/* radare - LGPL - Copyright 2008-2011 nibble<.ds@gmail.com>, pancake<nopcode.org> */
// TODO: review the rest of strtab index out of range
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -553,6 +553,10 @@ struct r_bin_elf_reloc_t* Elf_(r_bin_elf_get_relocs)(struct Elf_(r_bin_elf_obj_t
}
}
for (i = 0; i < bin->ehdr.e_shnum; i++) {
if (bin->shdr[i].sh_name > strtab_section->sh_size) {
perror ("Invalid shdr index in strtab\n");
continue;
}
if (!strcmp (&bin->strtab[bin->shdr[i].sh_name], ".rel.plt"))
tsize = sizeof (Elf_(Rel));
else if (!strcmp (&bin->strtab[bin->shdr[i].sh_name], ".rela.plt"))
@ -584,6 +588,10 @@ struct r_bin_elf_reloc_t* Elf_(r_bin_elf_get_relocs)(struct Elf_(r_bin_elf_obj_t
for (j = 0; j < nrel; j++) {
idx = ELF_R_SYM (rel[j].r_info);
if (idx < nsym) {
if (sym[idx].st_name > strtab_section->sh_size) {
perror ("Invalid shdr index in symbol\n");
continue;
}
len = __strnlen (&strtab[sym[idx].st_name], ELF_STRING_LENGTH-1);
memcpy (ret[j].name, &strtab[sym[idx].st_name], len);
} else strncpy (ret[j].name, "unknown", ELF_STRING_LENGTH);
@ -751,6 +759,10 @@ struct r_bin_elf_symbol_t* Elf_(r_bin_elf_get_symbols)(struct Elf_(r_bin_elf_obj
}
ret[ret_ctr].offset = (toffset >= bin->baddr ? toffset -= bin->baddr : toffset);
ret[ret_ctr].size = tsize;
if (sym[k].st_name > strtab_section->sh_size) {
perror ("index out of strtab range\n");
return NULL;
}
len = __strnlen (&strtab[sym[k].st_name], ELF_STRING_LENGTH-1);
memcpy (ret[ret_ctr].name, &strtab[sym[k].st_name], len);
ret[ret_ctr].ordinal = k;

6
libr/socket/socket.c
View File

@ -110,7 +110,7 @@ R_API int r_socket_connect (RSocket *s, const char *host, const char *port, int
#endif
if (proto != R_SOCKET_PROTO_UNIX) {
memset(&hints, 0, sizeof(struct addrinfo));
memset (&hints, 0, sizeof (struct addrinfo));
hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
hints.ai_protocol = proto;
gai = getaddrinfo (host, port, &hints, &res);
@ -192,9 +192,9 @@ R_API int r_socket_listen (RSocket *s, const char *port, const char *certfile) {
linger.l_onoff = 1;
linger.l_linger = 1;
setsockopt (s->fd, SOL_SOCKET, SO_LINGER, (const char *)&linger, sizeof (linger));
memset (&sa, 0, sizeof(sa));
memset (&sa, 0, sizeof (sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_ANY);
sa.sin_addr.s_addr = htonl (INADDR_ANY);
sa.sin_port = htons (atoi (port));
if (bind (s->fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {