isofs: fix access to unallocated memory when reading corrupted filesystem When a directory on isofs is corrupted, we did not check whether length of the name in a directory entry and the length of the directory entry itself are consistent. This could lead to possible access beyond the end of buffer when the length of the name was too big. Add this sanity check to directory reading code. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 2deb1acc653cbd5384b107d050d2deba089db2bd [log] [tgz]
author: Jan Kara <jack@suse.cz> Wed Apr 30 00:52:33 2008 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> Wed Apr 30 08:29:33 2008 -0700
tree: 8d9a944b7f5b08b27d849a1aaa20d6ee3851ae9e
parent: 6bfe0b499082fd3950429017cd8ebf2a6c458aa5 [diff] [blame]
diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
index 1ba407c..2f0dc5a 100644
--- a/fs/isofs/dir.c
+++ b/fs/isofs/dir.c

@@ -145,6 +145,14 @@
 			}
 			de = tmpde;
 		}
+		/* Basic sanity check, whether name doesn't exceed dir entry */
+		if (de_len < de->name_len[0] +
+					sizeof(struct iso_directory_record)) {
+			printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+			       " in block %lu of inode %lu\n", block,
+			       inode->i_ino);
+			return -EIO;
+		}
 
 		if (first_de) {
 			isofs_normalize_block_and_offset(de,
commit	2deb1acc653cbd5384b107d050d2deba089db2bd	[log] [tgz]
author	Jan Kara <jack@suse.cz>	Wed Apr 30 00:52:33 2008 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	Wed Apr 30 08:29:33 2008 -0700
tree	8d9a944b7f5b08b27d849a1aaa20d6ee3851ae9e
parent	6bfe0b499082fd3950429017cd8ebf2a6c458aa5 [diff] [blame]