diff options
author | Theodore Ts'o <tytso@mit.edu> | 2020-08-26 16:29:29 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2020-08-26 16:29:29 -0400 |
commit | 7b63656df911172efea39295266501cdd91869d7 (patch) | |
tree | 974b71732fcf22b0baee474402ac1b1203a5a3f7 | |
parent | 6cdd4b9309fb7aad1746e7abab2afc756274dcbc (diff) | |
download | e2fsprogs-7b63656df911172efea39295266501cdd91869d7.tar.gz |
libext2fs: fix potential buffer overrun in __get_dirent_tail()
If the file system is corrupted, there is a potential of a read-only
buffer overrun. Fortunately, we don't actually use the result of that
pointer dereference, and the overrun is at most 64k.
Google-Bug-Id: #158564737
Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | lib/ext2fs/csum.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c index 54b53a3c5..9b0b7908e 100644 --- a/lib/ext2fs/csum.c +++ b/lib/ext2fs/csum.c @@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs, d = dirent; top = EXT2_DIRENT_TAIL(dirent, fs->blocksize); - rec_len = translate(d->rec_len); while ((void *) d < top) { + rec_len = translate(d->rec_len); if ((rec_len < 8) || (rec_len & 0x03)) return EXT2_ET_DIR_CORRUPTED; d = (struct ext2_dir_entry *)(((char *)d) + rec_len); - rec_len = translate(d->rec_len); } if ((char *)d > ((char *)dirent + fs->blocksize)) |