[PATCH 3.13.y-ckt 13/19] isofs: Fix unchecked printing of ER records
Kamal Mostafa
kamal at canonical.com
Thu Jan 15 22:09:49 UTC 2015
3.13.11-ckt14 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack at suse.cz>
commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream.
We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.
Reported-and-tested-by: Carl Henrik Lunde <chlunde at ping.uio.no>
Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
fs/isofs/rock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index bb63254..735d752 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -362,6 +362,9 @@ repeat:
rs.cont_size = isonum_733(rr->u.CE.size);
break;
case SIG('E', 'R'):
+ /* Invalid length of ER tag id? */
+ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
+ goto out;
ISOFS_SB(inode->i_sb)->s_rock = 1;
printk(KERN_DEBUG "ISO 9660 Extensions: ");
{
--
1.9.1
More information about the kernel-team
mailing list