From 769aca9e956cd4bb7cc97be813968348f5e7f3d2 Mon Sep 17 00:00:00 2001
From: "Lubomir I. Ivanov" <neolit123@gmail.com>
Date: Tue, 19 Jun 2018 03:19:56 +0300
Subject: equipment: sanitize 'tank_info' loop limits

In a number of places the global 'tank_info' array
is being iterated based on a 'tank_info[idx].name != NULL'
condition.

This is dangerous because if the user has added a lot of tanks,
such loops can reach 'tank_info[MAX_TANK_INFO]'. This is an
out of bounds read and if the 'name' pointer there happens to be
non-NULL, passing that address to a peace of code that tries
to read it (like strlen()) would either SIGSEGV or have undefined
behavior.

Clamp all loops that iterate 'tank_info' to MAX_TANK_INFO.

Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
---
 core/planner.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core')

diff --git a/core/planner.c b/core/planner.c
index cb013799d..cc6874c3f 100644
--- a/core/planner.c
+++ b/core/planner.c
@@ -209,7 +209,7 @@ void fill_default_cylinder(cylinder_t *cyl)
 
 	if (!cyl_name)
 		return;
-	while (ti->name != NULL) {
+	while (ti->name != NULL && ti < tank_info + MAX_TANK_INFO) {
 		if (strcmp(ti->name, cyl_name) == 0)
 			break;
 		ti++;
-- 
cgit v1.2.3-70-g09d2