[PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r

[Aristo Chen]

When size == SIZE_MAX, the expression malloc(size + 1) wraps to
malloc(0) due to unsigned integer overflow. malloc(0) may return a
non-NULL pointer, causing the subsequent memcpy(data, env, size) to
write SIZE_MAX bytes into a zero-byte allocation.

This is reachable from the U-Boot console via "env import", where size
is taken directly from a user-supplied hex argument.

Add an explicit check for SIZE_MAX before the malloc call and return
EINVAL.

Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
---
 lib/hashtable.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/hashtable.c b/lib/hashtable.c
index 75c263b5053..902fa6f3e98 100644
--- a/lib/hashtable.c
+++ b/lib/hashtable.c
@@ -820,6 +820,13 @@ int himport_r(struct hsearch_data *htab,
 		return 0;
 	}
 
+	/* Check for potential integer overflow */
+	if (size == SIZE_MAX) {
+		debug("%s: size too large, would overflow\n", __func__);
+		__set_errno(EINVAL);
+		return 0;
+	}
+
 	/* we allocate new space to make sure we can write to the array */
 	if ((data = malloc(size + 1)) == NULL) {
 		debug("himport_r: can't malloc %lu bytes\n", (ulong)size + 1);
-- 
2.43.0