Date: Sat, 12 Mar 2016 02:29:47 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-fs@FreeBSD.org Subject: [Bug 204643] [msdosfs] [panic] Crash while accessing files with large, non-english names Message-ID: <bug-204643-3630-NjWAqVbPbP@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-204643-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-204643-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D204643 Kristof Provost <kp@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #2 from Kristof Provost <kp@freebsd.org> --- The cause is fairly obvious. In msdosfs_readdir() we use dos2unixfn() to translate the file name. The translation can increase the length of the filename, presumably this happened with the non-english name in this case. The output is stored in a (stored on the stack) struct dirent, where the d_= name has a maximum length of 255 bytes. dos2unixfn() has no length limit, so it = can overflow the d_name. This triggers the stack corruption protection. Fortunately, or this might be an exploitable bug. Fixing it is a little annoying, because it could conceivably lead to two directory names being translated into the same string. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204643-3630-NjWAqVbPbP>