Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
Windows Registry hive "ri"-records are arbitrarily nested B-tree-like structures: +-------------+ | ri | |-------------| | nr_offsets | | offset[0] ------> points to another lf/lh/li/ri block | offset[1] ------> | offset[2] ------> +-------------+ It is possible to construct a hive with a very deeply nested tree of ri-records, causing the internal _get_children function to recurse to any depth which can cause programs linked to hivex to crash with a stack overflow. Since it is not thought that deeply nested ri-records occur in real hives, limit recursion depth. If you hit this limit you will see the following error and the operation will return an error instead of crashing: \> ls hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32 ls: Invalid argument Thanks to Jeremy Galindo for finding and reporting this bug. Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Fixes: CVE-2021-3622 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489 (cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
- Loading branch information