diff options
author | Jan Kara <jack@suse.cz> | 2014-12-18 17:26:10 +0100 |
---|---|---|
committer | sungmin ha <sungmin82.ha@samsung.com> | 2015-03-18 16:56:38 +0900 |
commit | 39119892fde2c17d6ef7cbc23577fcd34aa25342 (patch) | |
tree | e0e822acff8967496878864ed62ae5fbf3627d9c | |
parent | 85167f008eaa1c717563b8197b200750e9d35f47 (diff) | |
download | emulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.tar.gz emulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.tar.bz2 emulator-kernel-39119892fde2c17d6ef7cbc23577fcd34aa25342.zip |
isofs: Fix unchecked printing of ER records
We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.
Change-Id: I62169ef625a50321b3daa3127cfca63d449389b7
Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
-rw-r--r-- | fs/isofs/rock.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index bb63254ed848..735d7522a3a9 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -362,6 +362,9 @@ repeat: rs.cont_size = isonum_733(rr->u.CE.size); break; case SIG('E', 'R'): + /* Invalid length of ER tag id? */ + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) + goto out; ISOFS_SB(inode->i_sb)->s_rock = 1; printk(KERN_DEBUG "ISO 9660 Extensions: "); { |