From: Karel Zak <kzak@redhat.com>
Date: Wed, 15 Apr 2026 13:48:09 +0000 (+0200)
Subject: libblkid: udf: cap descriptor sequence iteration count
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=57a5fb72288057be9ea8204b997c1d97e445bc63;p=thirdparty%2Futil-linux.git

libblkid: udf: cap descriptor sequence iteration count

The descriptor count is derived from attacker-controlled anchor length
and has no upper bound. Cap at 64 -- a UDF volume descriptor sequence
contains only a handful of descriptors (PVD, LVD, USD, IUVD, TD, ...),
similar to the kernel's UDF_MAX_TD_NESTING limit in fs/udf/super.c.

Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/libblkid/src/superblocks/udf.c b/libblkid/src/superblocks/udf.c
index 76d4236af..a04da63a3 100644
--- a/libblkid/src/superblocks/udf.c
+++ b/libblkid/src/superblocks/udf.c
@@ -349,8 +349,13 @@ real_blksz:
 	/* Use the actual block size from here on out */
 	bs = pbs[i];
 
-	/* get descriptor list address and block count */
+	/* get descriptor list address and block count;
+	 * UDF volume descriptor sequence is short (PVD, LVD, USD, IUVD, TD, etc.),
+	 * cap iteration to avoid DoS from crafted anchor length
+	 * (the kernel uses UDF_MAX_TD_NESTING=64 for a similar purpose) */
 	count = le32_to_cpu(vd->type.anchor.length) / bs;
+	if (count > 64)
+		count = 64;
 	loc = le32_to_cpu(vd->type.anchor.location);
 
 	/* pick the primary descriptor from the list and read UDF identifiers */