Date: Wed, 20 May 2026 19:13:41 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272896] cd9660_rrip_*() can read beyond the end of a buf Message-ID: <bug-272896-227-wECVqIVQWY@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272896-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272896 John Baldwin <jhb@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |In Progress Assignee|bugs@FreeBSD.org |jhb@FreeBSD.org --- Comment #1 from John Baldwin <jhb@FreeBSD.org> --- I've uploaded a patch that adds an extra check to cd9660_rrip_loop() to ensure that the entire extension structure is in bounds (not just the header) which mitigates the reproducer here: https://reviews.freebsd.org/D57135 I've also added a followup change to fix the various handlers to ensure that the length reported in the header is long enough to cover the data they read from the structure. A few places were doing this before (such as symlink handling) though I'm not sure it was always consistent. The changes for this are at https://reviews.freebsd.org/D57136 There is one other potential set of checks we could make which is to reject duplicate attributes if they show up, but I think those will not result in a crash, just that later attributes might overwrite (or append to!) previous values. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272896-227-wECVqIVQWY>
