mirror of https://github.com/vitalif/e2fsprogs
libext2fs/e2fsck: don't run off the end of the EA block
When we're (a) reading EAs into a buffer; (b) byte-swapping EA entries; or (c) checking EA data, be careful not to run off the end of the memory buffer, because this causes invalid memory accesses and e2fsck crashes. This can happen if we encounter a specially crafted FS image. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>crypto
parent
71e177a2a5
commit
88334ce084
|
@ -302,7 +302,8 @@ static void check_ea_in_inode(e2fsck_t ctx, struct problem_context *pctx)
|
|||
/* take finish entry 0UL into account */
|
||||
remain = storage_size - sizeof(__u32);
|
||||
|
||||
while (!EXT2_EXT_IS_LAST_ENTRY(entry)) {
|
||||
while (remain >= sizeof(struct ext2_ext_attr_entry) &&
|
||||
!EXT2_EXT_IS_LAST_ENTRY(entry)) {
|
||||
__u32 hash;
|
||||
|
||||
/* header eats this space */
|
||||
|
|
|
@ -633,7 +633,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
|
|||
|
||||
entry = entries;
|
||||
remain = storage_size;
|
||||
while (!EXT2_EXT_IS_LAST_ENTRY(entry)) {
|
||||
while (remain >= sizeof(struct ext2_ext_attr_entry) &&
|
||||
!EXT2_EXT_IS_LAST_ENTRY(entry)) {
|
||||
__u32 hash;
|
||||
|
||||
/* header eats this space */
|
||||
|
|
|
@ -196,7 +196,9 @@ void ext2fs_swap_ext_attr(char *to, char *from, int bufsize, int has_header)
|
|||
to_entry = (struct ext2_ext_attr_entry *)to_header;
|
||||
}
|
||||
|
||||
while ((char *)from_entry < from_end && *(__u32 *)from_entry) {
|
||||
while ((char *)from_entry < from_end &&
|
||||
(char *)EXT2_EXT_ATTR_NEXT(from_entry) <= from_end &&
|
||||
*(__u32 *)from_entry) {
|
||||
ext2fs_swap_ext_attr_entry(to_entry, from_entry);
|
||||
from_entry = EXT2_EXT_ATTR_NEXT(from_entry);
|
||||
to_entry = EXT2_EXT_ATTR_NEXT(to_entry);
|
||||
|
|
Loading…
Reference in New Issue