diff options
author | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 12:03:36 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2022-06-06 12:13:22 -0400 |
commit | d497224dfbfdc1313136488cd7fb196885d40dfb (patch) | |
tree | f34cba5e73b568700d695df7d252822c22d1e891 | |
parent | 1052048fb8f4ddcc0160eb670ef746ef7ee505a4 (diff) | |
download | e2fsprogs-d497224dfbfdc1313136488cd7fb196885d40dfb.tar.gz |
libext2fs: add check for too-short directory blocks
If there is an inline data directory which is smaller than 8 bytes
(which should never happen but for corrupted or fuzzed file systems),
ext2fs_process_dir_block() will now abort EXT2_ET_DIR_CORRUPTED to
avoid an out-of-bounds read.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | lib/ext2fs/dir_iterate.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c index b2b77693e..7798a4827 100644 --- a/lib/ext2fs/dir_iterate.c +++ b/lib/ext2fs/dir_iterate.c @@ -221,6 +221,10 @@ int ext2fs_process_dir_block(ext2_filsys fs, if (ext2fs_has_feature_metadata_csum(fs->super)) csum_size = sizeof(struct ext2_dir_entry_tail); + if (buflen < 8) { + ctx->errcode = EXT2_ET_DIR_CORRUPTED; + return BLOCK_ABORT; + } while (offset < buflen - 8) { dirent = (struct ext2_dir_entry *) (ctx->buf + offset); if (ext2fs_get_rec_len(fs, dirent, &rec_len)) |