Commit 2deb1acc authored Apr 30, 2008 by Jan Kara Committed by Linus Torvalds Apr 30, 2008

isofs: fix access to unallocated memory when reading corrupted filesystem



When a directory on isofs is corrupted, we did not check whether length of the
name in a directory entry and the length of the directory entry itself are
consistent.  This could lead to possible access beyond the end of buffer when
the length of the name was too big.  Add this sanity check to directory
reading code.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 6bfe0b49

fs/isofs/dir.c

+8 −0

Original line number	Original line	Diff line number	Diff line
	@@ -145,6 +145,14 @@ static int do_isofs_readdir(struct inode inode, struct file filp,
	}		}
	de = tmpde;		de = tmpde;
	}		}
			/* Basic sanity check, whether name doesn't exceed dir entry */
			if (de_len < de->name_len[0] +
			sizeof(struct iso_directory_record)) {
			printk(KERN_NOTICE "iso9660: Corrupted directory entry"
			" in block %lu of inode %lu\n", block,
			inode->i_ino);
			return -EIO;
			}

	if (first_de) {		if (first_de) {
	isofs_normalize_block_and_offset(de,		isofs_normalize_block_and_offset(de,

fs/isofs/namei.c

+7 −0

Original line number	Original line	Diff line number	Diff line
	@@ -111,6 +111,13 @@ isofs_find_entry(struct inode dir, struct dentry dentry,

	dlen = de->name_len[0];		dlen = de->name_len[0];
	dpnt = de->name;		dpnt = de->name;
			/* Basic sanity check, whether name doesn't exceed dir entry */
			if (de_len < dlen + sizeof(struct iso_directory_record)) {
			printk(KERN_NOTICE "iso9660: Corrupted directory entry"
			" in block %lu of inode %lu\n", block,
			dir->i_ino);
			return 0;
			}

	if (sbi->s_rock &&		if (sbi->s_rock &&
	((i = get_rock_ridge_filename(de, tmpname, dir)))) {		((i = get_rock_ridge_filename(de, tmpname, dir)))) {