diff options
author | Jan Kara <jack@suse.cz> | 2014-12-18 17:26:10 +0100 |
---|---|---|
committer | Stefan Bader <stefan.bader@canonical.com> | 2015-05-29 11:54:14 +0200 |
commit | c8a37f400d13f645d49598db4950260f0d85e530 (patch) | |
tree | c8024d0ee047dc2dedb9a5762cba2d2af216606c | |
parent | f85ef0778b8453fe21f643e2adb6fe4a29ee7b33 (diff) | |
download | linux-2.6.32.y-drm33.z-c8a37f400d13f645d49598db4950260f0d85e530.tar.gz |
isofs: Fix unchecked printing of ER records
commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream
We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.
Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-rw-r--r-- | fs/isofs/rock.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 69c737d4b517c..2ec72aeae9ca1 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -363,6 +363,9 @@ repeat: rs.cont_size = isonum_733(rr->u.CE.size); break; case SIG('E', 'R'): + /* Invalid length of ER tag id? */ + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) + goto out; ISOFS_SB(inode->i_sb)->s_rock = 1; printk(KERN_DEBUG "ISO 9660 Extensions: "); { |