From 0e7b44f7f89291d8ae75e4f099d8aa2bcca1cfc5 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 9 Oct 2007 14:34:15 +0200
Subject: [PATCH] fix buffer overflow

Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
---
 mount/lomount.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

Index: util-linux-ng-2.13rc2+git20070725/mount/lomount.c
===================================================================
--- util-linux-ng-2.13rc2+git20070725.orig/mount/lomount.c
+++ util-linux-ng-2.13rc2+git20070725/mount/lomount.c
@@ -25,8 +25,8 @@
 #include "xstrncpy.h"
 #include "nls.h"
 
-#ifndef MAX
-#define MAX(a,b) ((a>b)?(a):(b))
+#ifndef MIN
+#define MIN(a,b) ((a<b)?(a):(b))
 #endif
 
 extern int verbose;
@@ -291,7 +291,7 @@ digits_only(const char *s) {
 
 static void phash_none(const unsigned char *key, size_t keylen, unsigned char* buf, size_t buflen)
 {
-	memcpy(buf, key, MAX(buflen, keylen));
+	memcpy(buf, key, MIN(buflen, keylen));
 }
 
 static void phash_rmd160(const unsigned char *key, size_t keylen, unsigned char* buf, size_t buflen)
@@ -304,7 +304,7 @@ static void phash_rmd160(const unsigned 
 	rmd160_hash_buffer(tmpbuf + RMD160_HASH_SIZE, tmp, keylen+1);
 	memset(tmp, 0, keylen+1);
 	free(tmp);
-	memcpy(buf, tmpbuf, MAX(buflen, sizeof(tmpbuf)));
+	memcpy(buf, tmpbuf, MIN(buflen, sizeof(tmpbuf)));
 }
 
 int
@@ -421,6 +421,11 @@ set_loop(const char *device, const char 
 			loopinfo64.lo_encrypt_key_size = keysz>>3;
 		}
 
+		if((unsigned)loopinfo64.lo_encrypt_key_size > sizeof(loopinfo64.lo_encrypt_key)) {
+			fprintf(stderr, _("invalid key length\n"));
+			return 1;
+		}
+
 		if (phash) {
 			if(!strcasecmp(phash, "sha512")) {
 				hfunc = sha512_hash_buffer;