libblkid: udf: cap descriptor sequence iteration count

The descriptor count is derived from attacker-controlled anchor length
and has no upper bound. Cap at 64 -- a UDF volume descriptor sequence
contains only a handful of descriptors (PVD, LVD, USD, IUVD, TD, ...),
similar to the kernel's UDF_MAX_TD_NESTING limit in fs/udf/super.c.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libblkid/src/superblocks/udf.c b/libblkid/src/superblocks/udf.c
index 76d4236af7436600bebc33d35c6b333f9fabeebc..a04da63a37eb232a90666f4a8b42eb0c5ad8f8fb 100644 (file)
--- a/libblkid/src/superblocks/udf.c
+++ b/libblkid/src/superblocks/udf.c
@@ -349,8 +349,13 @@ real_blksz:
        /* Use the actual block size from here on out */
        bs = pbs[i];
 
-       /* get descriptor list address and block count */
+       /* get descriptor list address and block count;
+        * UDF volume descriptor sequence is short (PVD, LVD, USD, IUVD, TD, etc.),
+        * cap iteration to avoid DoS from crafted anchor length
+        * (the kernel uses UDF_MAX_TD_NESTING=64 for a similar purpose) */
        count = le32_to_cpu(vd->type.anchor.length) / bs;
+       if (count > 64)
+               count = 64;
        loc = le32_to_cpu(vd->type.anchor.location);
 
        /* pick the primary descriptor from the list and read UDF identifiers */