isofs: Fix unchecked printing of ER records

commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
author: Jan Kara <jack@suse.cz> 2014-12-18 17:26:10 +0100
committer: Stefan Bader <stefan.bader@canonical.com> 2015-05-29 11:54:14 +0200
commit: c8a37f400d13f645d49598db4950260f0d85e530 (patch)
tree: c8024d0ee047dc2dedb9a5762cba2d2af216606c
parent: f85ef0778b8453fe21f643e2adb6fe4a29ee7b33 (diff)
download: linux-2.6.32.y-drm33.z-c8a37f400d13f645d49598db4950260f0d85e530.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index 69c737d4b517c..2ec72aeae9ca1 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -363,6 +363,9 @@ repeat:
 			rs.cont_size = isonum_733(rr->u.CE.size);
 			break;
 		case SIG('E', 'R'):
+			/* Invalid length of ER tag id? */
+			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
+				goto out;
 			ISOFS_SB(inode->i_sb)->s_rock = 1;
 			printk(KERN_DEBUG "ISO 9660 Extensions: ");
 			{
author	Jan Kara <jack@suse.cz>	2014-12-18 17:26:10 +0100
committer	Stefan Bader <stefan.bader@canonical.com>	2015-05-29 11:54:14 +0200
commit	c8a37f400d13f645d49598db4950260f0d85e530 (patch)
tree	c8024d0ee047dc2dedb9a5762cba2d2af216606c
parent	f85ef0778b8453fe21f643e2adb6fe4a29ee7b33 (diff)
download	linux-2.6.32.y-drm33.z-c8a37f400d13f645d49598db4950260f0d85e530.tar.gz