[PATCH] isofs: Fix access to unallocated memory when reading corrupted filesystem

From: Jan Kara
Date: Mon Apr 28 2008 - 10:45:33 EST


When directory of isofs is corrupted, we did not check whether length of the
name in a directory entry and the lenght of the directory entry itself are
consistent. This could lead to possible access beyond the end of buffer when
the lenght of the name was too big. Add this sanity check to directory reading
code.

Signed-off-by: Jan Kara <jack@xxxxxxx>
---
fs/isofs/dir.c | 8 ++++++++
fs/isofs/namei.c | 7 +++++++
2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
index 1ba407c..2f0dc5a 100644
--- a/fs/isofs/dir.c
+++ b/fs/isofs/dir.c
@@ -145,6 +145,14 @@ static int do_isofs_readdir(struct inode *inode, struct file *filp,
}
de = tmpde;
}
+ /* Basic sanity check, whether name doesn't exceed dir entry */
+ if (de_len < de->name_len[0] +
+ sizeof(struct iso_directory_record)) {
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+ inode->i_ino);
+ return -EIO;
+ }

if (first_de) {
isofs_normalize_block_and_offset(de,
diff --git a/fs/isofs/namei.c b/fs/isofs/namei.c
index 344b247..8299889 100644
--- a/fs/isofs/namei.c
+++ b/fs/isofs/namei.c
@@ -111,6 +111,13 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry,

dlen = de->name_len[0];
dpnt = de->name;
+ /* Basic sanity check, whether name doesn't exceed dir entry */
+ if (de_len < dlen + sizeof(struct iso_directory_record)) {
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+ dir->i_ino);
+ return 0;
+ }

if (sbi->s_rock &&
((i = get_rock_ridge_filename(de, tmpname, dir)))) {
--
1.5.2.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/