From: chrisw@osdl.org <chrisw@osdl.org>
Date: Sat, 26 Mar 2005 01:46:03 +0000 (-0800)
Subject: [PATCH] isofs: more defensive checks against corrupt isofs images
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc981951dbc7d761777faaaf0fa246d9c9e78604;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] isofs: more defensive checks against corrupt isofs images

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

Some more defensive checks to keep corrupt isofs images from corrupting
memory or causing Oops.

Signed-off-by: Chris Wright <chrisw@osdl.org>

===== fs/isofs/rock.c 1.23 vs edited =====
---

diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index 1c8d997d44a71..8bdd3e409543b 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -74,6 +74,10 @@
     offset1 = 0; \
     pbh = sb_bread(DEV->i_sb, block); \
     if(pbh){       \
+      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
+	brelse(pbh); \
+	goto out; \
+      } \
       memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
       brelse(pbh); \
       chr = (unsigned char *) buffer; \