libext2fs: fix potential buffer overrun in __get_dirent_tail()

If the file system is corrupted, there is a potential of a read-only buffer overrun. Fortunately, we don't actually use the result of that pointer dereference, and the overrun is at most 64k. Google-Bug-Id: #158564737 Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict") Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2020-08-26 16:29:29 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2020-08-26 16:29:29 -0400
commit: 7b63656df911172efea39295266501cdd91869d7 (patch)
tree: 974b71732fcf22b0baee474402ac1b1203a5a3f7
parent: 6cdd4b9309fb7aad1746e7abab2afc756274dcbc (diff)
download: e2fsprogs-7b63656df911172efea39295266501cdd91869d7.tar.gz
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index 54b53a3c5..9b0b7908e 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
 	d = dirent;
 	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
 
-	rec_len = translate(d->rec_len);
 	while ((void *) d < top) {
+		rec_len = translate(d->rec_len);
 		if ((rec_len < 8) || (rec_len & 0x03))
 			return EXT2_ET_DIR_CORRUPTED;
 		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
-		rec_len = translate(d->rec_len);
 	}
 
 	if ((char *)d > ((char *)dirent + fs->blocksize))
author	Theodore Ts'o <tytso@mit.edu>	2020-08-26 16:29:29 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2020-08-26 16:29:29 -0400
commit	7b63656df911172efea39295266501cdd91869d7 (patch)
tree	974b71732fcf22b0baee474402ac1b1203a5a3f7
parent	6cdd4b9309fb7aad1746e7abab2afc756274dcbc (diff)
download	e2fsprogs-7b63656df911172efea39295266501cdd91869d7.tar.gz