libblkid: avoid buffer overflow in ocfs superblock parsing

Label and mount values are checked only according to on-disk
values and not checked against the real structure size.
This can lead to reading of memory outside of superblock
struct and subsequent crash.

Reproducer found with OSS-Fuzz (issue 52270) running over
cryptsetup project (blkid is used in header init).

Signed-off-by: Milan Broz <gmazyland@gmail.com>

diff --git a/libblkid/src/superblocks/ocfs.c b/libblkid/src/superblocks/ocfs.c
index 28df6ddfa431770a1510af6fbd53cc4e6fc5d8bb..e213d66b4472eeeb7c3389ef9bcf92f35101be21 100644 (file)
--- a/libblkid/src/superblocks/ocfs.c
+++ b/libblkid/src/superblocks/ocfs.c
@@ -129,10 +129,12 @@ static int probe_ocfs(blkid_probe pr, const struct blkid_idmag *mag)
                blkid_probe_set_value(pr, "SEC_TYPE",
                                (unsigned char *) "ntocfs", sizeof("ntocfs"));
 
-       blkid_probe_set_label(pr, (unsigned char *) ovl.label,
-                               ocfslabellen(ovl));
-       blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
-                               ocfsmountlen(ovh));
+       if (ocfslabellen(ovl) < sizeof(ovl.label))
+               blkid_probe_set_label(pr, (unsigned char *) ovl.label,
+                                       ocfslabellen(ovl));
+       if (ocfsmountlen(ovh) < sizeof(ovh.mount))
+               blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
+                                       ocfsmountlen(ovh));
        blkid_probe_set_uuid(pr, ovl.vol_id);
        blkid_probe_sprintf_version(pr, "%u.%u", maj, min);
        return 0;