Deleting a boot entry via "-b xxxx -B" also attempts to remove
that entry from boot order via a call to remove_from_boot_order.
Although unusual, it's possible that the entry being deleted is
not in boot order. Correct the handling of this case in
remove_from_boot_order, which malloc's space for the new boot
order list wrongly assuming that at least one entry will be
removed. However, if no entry is removed, then 2 bytes are
overwritten beyond the malloc'ed space. This can result in heap
corruption and possible termination via a SIGABRT if the
corruption is detected by the heap allocation routines.
While there, simplify the routine to do the removal of boot
entries in place in the original data buffer, skip the
unnecessary BootOrder variable update if nothing got removed,
and free the malloc'ed boot_order struct on the way out.
Deleting a boot entry via "-b xxxx -B" also attempts to remove that entry from boot order via a call to remove_from_boot_order. Although unusual, it's possible that the entry being deleted is not in boot order. Correct the handling of this case in remove_from_boot_order, which malloc's space for the new boot order list wrongly assuming that at least one entry will be removed. However, if no entry is removed, then 2 bytes are overwritten beyond the malloc'ed space. This can result in heap corruption and possible termination via a SIGABRT if the corruption is detected by the heap allocation routines.
While there, simplify the routine to do the removal of boot entries in place in the original data buffer, skip the unnecessary BootOrder variable update if nothing got removed, and free the malloc'ed boot_order struct on the way out.
Resolves: RH BZ 1168019
Signed-off-by: Lenny Szubowicz lszubowi@redhat.com