Skip to content

Commit e237ec3

Browse files
committed
udf: Check component length before reading it
Check that length specified in a component of a symlink fits in the input buffer we are reading. Also properly ignore component length for component types that do not use it. Otherwise we read memory after end of buffer for corrupted udf image. Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz>
1 parent 0e5cc9a commit e237ec3

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

Diff for: fs/udf/symlink.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -42,14 +42,17 @@ static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
4242
tolen--;
4343
while (elen < fromlen) {
4444
pc = (struct pathComponent *)(from + elen);
45+
elen += sizeof(struct pathComponent);
4546
switch (pc->componentType) {
4647
case 1:
4748
/*
4849
* Symlink points to some place which should be agreed
4950
* upon between originator and receiver of the media. Ignore.
5051
*/
51-
if (pc->lengthComponentIdent > 0)
52+
if (pc->lengthComponentIdent > 0) {
53+
elen += pc->lengthComponentIdent;
5254
break;
55+
}
5356
/* Fall through */
5457
case 2:
5558
if (tolen == 0)
@@ -74,6 +77,9 @@ static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
7477
/* that would be . - just ignore */
7578
break;
7679
case 5:
80+
elen += pc->lengthComponentIdent;
81+
if (elen > fromlen)
82+
return -EIO;
7783
comp_len = udf_get_filename(sb, pc->componentIdent,
7884
pc->lengthComponentIdent,
7985
p, tolen);
@@ -85,7 +91,6 @@ static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
8591
tolen--;
8692
break;
8793
}
88-
elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
8994
}
9095
if (p > to + 1)
9196
p[-1] = '\0';

0 commit comments

Comments
 (0)