]> git.ipfire.org Git - thirdparty/e2fsprogs.git/commitdiff
projects / thirdparty / e2fsprogs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6cdd4b9)
libext2fs: fix potential buffer overrun in __get_dirent_tail()
authorTheodore Ts'o <tytso@mit.edu>
Wed, 26 Aug 2020 20:29:29 +0000 (16:29 -0400)
committerTheodore Ts'o <tytso@mit.edu>
Wed, 26 Aug 2020 20:29:29 +0000 (16:29 -0400)
If the file system is corrupted, there is a potential of a read-only
buffer overrun.  Fortunately, we don't actually use the result of that
pointer dereference, and the overrun is at most 64k.

Google-Bug-Id: #158564737
Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
lib/ext2fs/csum.c patch | blob | blame | history

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index 54b53a3c5a5df3f817c63dc2d03a3abe6021ff33..9b0b7908e0f6ede0837256277f601b105c2d057d 100644 (file)
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
        d = dirent;
        top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
 
-       rec_len = translate(d->rec_len);
        while ((void *) d < top) {
+               rec_len = translate(d->rec_len);
                if ((rec_len < 8) || (rec_len & 0x03))
                        return EXT2_ET_DIR_CORRUPTED;
                d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
-               rec_len = translate(d->rec_len);
        }
 
        if ((char *)d > ((char *)dirent + fs->blocksize))
Unnamed repository; edit this file 'description' to name the repository.