[PATCH] isofs: more "corrupted iso image" error cases

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

From: Linus Torvalds <torvalds@osdl.org>

isofs: more "corrupted iso image" error cases

Thanks to Michal Zalewski for testing.

Signed-off-by: Chris Wright <chrisw@osdl.org>

diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
index 0ee7beb9d48ad21f6b9cc7938c7a345f281e6793..b9256e65e144c3be72faa612fc4ebf10c6edf6e2 100644 (file)
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -685,6 +685,8 @@ root_found:
          sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
          sbi->s_max_size = isonum_733(h_pri->volume_space_size);
        } else {
+         if (!pri)
+           goto out_freebh;
          rootp = (struct iso_directory_record *) pri->root_directory_record;
          sbi->s_nzones = isonum_733 (pri->volume_space_size);
          sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_block *sb,
        struct inode *inode;
        struct isofs_iget5_callback_data data;
 
+       if (offset >= 1ul << sb->s_blocksize_bits)
+               return NULL;
+
        data.block = block;
        data.offset = offset;