From: torvalds@osdl.org <torvalds@osdl.org>
Date: Sat, 26 Mar 2005 01:45:24 +0000 (-0800)
Subject: [PATCH] isofs: more "corrupted iso image" error cases
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ab3629112f49d7c69dfc510a64fd5c711994b32;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] isofs: more "corrupted iso image" error cases

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

From: Linus Torvalds <torvalds@osdl.org>

isofs: more "corrupted iso image" error cases

Thanks to Michal Zalewski for testing.

Signed-off-by: Chris Wright <chrisw@osdl.org>
---

diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
index 0ee7beb9d48ad..b9256e65e144c 100644
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -685,6 +685,8 @@ root_found:
 	  sbi->s_log_zone_size = isonum_723 (h_pri->logical_block_size);
 	  sbi->s_max_size = isonum_733(h_pri->volume_space_size);
 	} else {
+	  if (!pri)
+	    goto out_freebh;
 	  rootp = (struct iso_directory_record *) pri->root_directory_record;
 	  sbi->s_nzones = isonum_733 (pri->volume_space_size);
 	  sbi->s_log_zone_size = isonum_723 (pri->logical_block_size);
@@ -1395,6 +1397,9 @@ struct inode *isofs_iget(struct super_block *sb,
 	struct inode *inode;
 	struct isofs_iget5_callback_data data;
 
+	if (offset >= 1ul << sb->s_blocksize_bits)
+		return NULL;
+
 	data.block = block;
 	data.offset = offset;