Avoid segfault if verify header appears longer than io_u

[fio.git] / verify.c

diff --git a/verify.c b/verify.c
index 5621db2a5b222e2b00afa354382ca38ee84a1cb7..5fe78c8cf556893fafccda5f485beca158e68ca0 100644 (file)
--- a/verify.c
+++ b/verify.c
@@ -646,13 +646,17 @@ static int verify_trimmed_io_u(struct thread_data *td, struct io_u *io_u)
        return ret;
 }
 
-static int verify_header(struct verify_header *hdr)
+static int verify_header(struct io_u *io_u, struct verify_header *hdr)
 {
        void *p = hdr;
        uint32_t crc;
 
        if (hdr->magic != FIO_HDR_MAGIC)
                return 0;
+       if (hdr->len > io_u->buflen) {
+               log_err("fio: verify header exceeds buffer length (%u > %lu)\n", hdr->len, io_u->buflen);
+               return 0;
+       }
 
        crc = fio_crc32c(p, offsetof(struct verify_header, crc32));
        if (crc == hdr->crc32)
@@ -695,7 +699,7 @@ int verify_io_u(struct thread_data *td, struct io_u *io_u)
                        memswp(p, p + td->o.verify_offset, header_size);
                hdr = p;
 
-               if (!verify_header(hdr)) {
+               if (!verify_header(io_u, hdr)) {
                        log_err("verify: bad magic header %x, wanted %x at "
                                "file %s offset %llu, length %u\n",
                                hdr->magic, FIO_HDR_MAGIC,