When we're (a) reading EAs into a buffer; (b) byte-swapping EA
entries; or (c) checking EA data, be careful not to run off the end of
the memory buffer, because this causes invalid memory accesses and
e2fsck crashes. This can happen if we encounter a specially crafted
FS image.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
/* take finish entry 0UL into account */
remain = storage_size - sizeof(__u32);
- while (!EXT2_EXT_IS_LAST_ENTRY(entry)) {
+ while (remain >= sizeof(struct ext2_ext_attr_entry) &&
+ !EXT2_EXT_IS_LAST_ENTRY(entry)) {
__u32 hash;
/* header eats this space */
entry = entries;
remain = storage_size;
- while (!EXT2_EXT_IS_LAST_ENTRY(entry)) {
+ while (remain >= sizeof(struct ext2_ext_attr_entry) &&
+ !EXT2_EXT_IS_LAST_ENTRY(entry)) {
__u32 hash;
/* header eats this space */
to_entry = (struct ext2_ext_attr_entry *)to_header;
}
- while ((char *)from_entry < from_end && *(__u32 *)from_entry) {
+ while ((char *)from_entry < from_end &&
+ (char *)EXT2_EXT_ATTR_NEXT(from_entry) <= from_end &&
+ *(__u32 *)from_entry) {
ext2fs_swap_ext_attr_entry(to_entry, from_entry);
from_entry = EXT2_EXT_ATTR_NEXT(from_entry);
to_entry = EXT2_EXT_ATTR_NEXT(to_entry);
projects / thirdparty / e2fsprogs.git / commitdiff
