From d7fa8ed63891b0058c5df8aa809e34de61008f51 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sun, 9 Oct 2022 20:20:45 +0200 Subject: [PATCH] libblkid: avoid buffer overflow in ocfs superblock parsing Label and mount values are checked only according to on-disk values and not checked against the real structure size. This can lead to reading of memory outside of superblock struct and subsequent crash. Reproducer found with OSS-Fuzz (issue 52270) running over cryptsetup project (blkid is used in header init). Signed-off-by: Milan Broz --- libblkid/src/superblocks/ocfs.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libblkid/src/superblocks/ocfs.c b/libblkid/src/superblocks/ocfs.c index 28df6ddfa4..e213d66b44 100644 --- a/libblkid/src/superblocks/ocfs.c +++ b/libblkid/src/superblocks/ocfs.c @@ -129,10 +129,12 @@ static int probe_ocfs(blkid_probe pr, const struct blkid_idmag *mag) blkid_probe_set_value(pr, "SEC_TYPE", (unsigned char *) "ntocfs", sizeof("ntocfs")); - blkid_probe_set_label(pr, (unsigned char *) ovl.label, - ocfslabellen(ovl)); - blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount, - ocfsmountlen(ovh)); + if (ocfslabellen(ovl) < sizeof(ovl.label)) + blkid_probe_set_label(pr, (unsigned char *) ovl.label, + ocfslabellen(ovl)); + if (ocfsmountlen(ovh) < sizeof(ovh.mount)) + blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount, + ocfsmountlen(ovh)); blkid_probe_set_uuid(pr, ovl.vol_id); blkid_probe_sprintf_version(pr, "%u.%u", maj, min); return 0; -- 2.47.3