isofs: fix access to unallocated memory when reading corrupted filesystem
authorJan Kara <jack@suse.cz>
Wed, 30 Apr 2008 07:52:33 +0000 (00:52 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Wed, 30 Apr 2008 15:29:33 +0000 (08:29 -0700)
When a directory on isofs is corrupted, we did not check whether length of the
name in a directory entry and the length of the directory entry itself are
consistent.  This could lead to possible access beyond the end of buffer when
the length of the name was too big.  Add this sanity check to directory
reading code.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/isofs/dir.c
fs/isofs/namei.c

index 1ba407c64df1fed39edbe1470538dd49da171a61..2f0dc5a1463306adcecc3296a8cf6b01defb7fe3 100644 (file)
@@ -145,6 +145,14 @@ static int do_isofs_readdir(struct inode *inode, struct file *filp,
                        }
                        de = tmpde;
                }
+               /* Basic sanity check, whether name doesn't exceed dir entry */
+               if (de_len < de->name_len[0] +
+                                       sizeof(struct iso_directory_record)) {
+                       printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+                              " in block %lu of inode %lu\n", block,
+                              inode->i_ino);
+                       return -EIO;
+               }
 
                if (first_de) {
                        isofs_normalize_block_and_offset(de,
index 344b247bc29ab1f104fcc25af9a831052267baad..8299889a835ea5c9b95c7d71afcabdb4610310c1 100644 (file)
@@ -111,6 +111,13 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry,
 
                dlen = de->name_len[0];
                dpnt = de->name;
+               /* Basic sanity check, whether name doesn't exceed dir entry */
+               if (de_len < dlen + sizeof(struct iso_directory_record)) {
+                       printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+                              " in block %lu of inode %lu\n", block,
+                              dir->i_ino);
+                       return 0;
+               }
 
                if (sbi->s_rock &&
                    ((i = get_rock_ridge_filename(de, tmpname, dir)))) {