Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 May 2026 19:13:41 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 272896] cd9660_rrip_*() can read beyond the end of a buf
Message-ID:  <bug-272896-227-wECVqIVQWY@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-272896-227@https.bugs.freebsd.org/bugzilla/>

index | next in thread | previous in thread | raw e-mail

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272896

John Baldwin <jhb@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Open                        |In Progress
           Assignee|bugs@FreeBSD.org            |jhb@FreeBSD.org

--- Comment #1 from John Baldwin <jhb@FreeBSD.org> ---
I've uploaded a patch that adds an extra check to cd9660_rrip_loop() to ensure
that the entire extension structure is in bounds (not just the header) which
mitigates the reproducer here:  https://reviews.freebsd.org/D57135

I've also added a followup change to fix the various handlers to ensure that
the length reported in the header is long enough to cover the data they read
from the structure.  A few places were doing this before (such as symlink
handling) though I'm not sure it was always consistent.  The changes for this
are at https://reviews.freebsd.org/D57136

There is one other potential set of checks we could make which is to reject
duplicate attributes if they show up, but I think those will not result in a
crash, just that later attributes might overwrite (or append to!) previous
values.

-- 
You are receiving this mail because:
You are the assignee for the bug.

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272896-227-wECVqIVQWY>