Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Sep 2020 16:34:43 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r366160 - releng/12.2/sys/fs/udf
Message-ID:  <202009251634.08PGYhGt034942@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: markj
Date: Fri Sep 25 16:34:42 2020
New Revision: 366160
URL: https://svnweb.freebsd.org/changeset/base/366160

Log:
  MFS r366154:
  MFC r366005:
  udf: Validate the full file entry length
  
  PR:		248613
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/fs/udf/udf_vfsops.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/fs/udf/udf_vfsops.c
==============================================================================
--- releng/12.2/sys/fs/udf/udf_vfsops.c	Fri Sep 25 16:02:13 2020	(r366159)
+++ releng/12.2/sys/fs/udf/udf_vfsops.c	Fri Sep 25 16:34:42 2020	(r366160)
@@ -590,6 +590,7 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	struct vnode *vp;
 	struct udf_node *unode;
 	struct file_entry *fe;
+	uint32_t lea, lad;
 	int error, sector, size;
 
 	error = vfs_hash_get(mp, ino, flags, curthread, vpp, NULL, NULL);
@@ -645,31 +646,37 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	devvp = udfmp->im_devvp;
 	if ((error = RDSECTOR(devvp, sector, udfmp->bsize, &bp)) != 0) {
 		printf("Cannot read sector %d\n", sector);
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (error);
+		goto error;
 	}
 
+	/*
+	 * File entry length validation.
+	 */
 	fe = (struct file_entry *)bp->b_data;
 	if (udf_checktag(&fe->tag, TAGID_FENTRY)) {
 		printf("Invalid file entry!\n");
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (ENOMEM);
+		error = ENOMEM;
+		goto error;
 	}
-	size = UDF_FENTRY_SIZE + le32toh(fe->l_ea) + le32toh(fe->l_ad);
+	lea = le32toh(fe->l_ea);
+	lad = le32toh(fe->l_ad);
+	if (lea > udfmp->bsize || lad > udfmp->bsize) {
+		printf("Invalid EA and AD lengths %u, %u\n", lea, lad);
+		error = EIO;
+		goto error;
+	}
+	size = UDF_FENTRY_SIZE + lea + lad;
+	if (size > udfmp->bsize) {
+		printf("Invalid file entry size %u\n", size);
+		error = EIO;
+		goto error;
+	}
+
 	unode->fentry = malloc(size, M_UDFFENTRY, M_NOWAIT | M_ZERO);
 	if (unode->fentry == NULL) {
 		printf("Cannot allocate file entry block\n");
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (ENOMEM);
+		error = ENOMEM;
+		goto error;
 	}
 
 	bcopy(bp->b_data, unode->fentry, size);
@@ -714,6 +721,13 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	*vpp = vp;
 
 	return (0);
+
+error:
+	vgone(vp);
+	vput(vp);
+	brelse(bp);
+	*vpp = NULL;
+	return (error);
 }
 
 static int

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009251634.08PGYhGt034942>