summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2014-12-18 17:26:10 +0100
committersungmin ha <sungmin82.ha@samsung.com>2015-03-18 16:56:38 +0900
commit39119892fde2c17d6ef7cbc23577fcd34aa25342 (patch)
treee0e822acff8967496878864ed62ae5fbf3627d9c
parent85167f008eaa1c717563b8197b200750e9d35f47 (diff)
downloademulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.tar.gz
emulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.tar.bz2
emulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.zip
isofs: Fix unchecked printing of ER records
We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Change-Id: I62169ef625a50321b3daa3127cfca63d449389b7 Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz>
-rw-r--r--fs/isofs/rock.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index bb63254ed848..735d7522a3a9 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -362,6 +362,9 @@ repeat:
rs.cont_size = isonum_733(rr->u.CE.size);
break;
case SIG('E', 'R'):
+ /* Invalid length of ER tag id? */
+ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
+ goto out;
ISOFS_SB(inode->i_sb)->s_rock = 1;
printk(KERN_DEBUG "ISO 9660 Extensions: ");
{