[PATCH] isofs: more defensive checks against corrupt isofs images

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem. http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2 CAN-2005-0815 is assigned to this issue. Some more defensive checks to keep corrupt isofs images from corrupting memory or causing Oops. Signed-off-by: Chris Wright <chrisw@osdl.org> ===== fs/isofs/rock.c 1.23 vs edited =====
2024-09-25 20:05:39 +00:00 · 2005-03-25 17:46:03 -08:00 · 2005-03-25 17:46:03 -08:00 · cc981951db
commit cc981951db
parent 5ab3629112
1 changed files with 4 additions and 0 deletions
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@ -74,6 +74,10 @@
    offset1 = 0; \
    pbh = sb_bread(DEV->i_sb, block); \
    if(pbh){       \
+      if (offset > pbh->b_size || offset + cont_size > pbh->b_size){	\
+	brelse(pbh); \
+	goto out; \
+      } \
      memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
      brelse(pbh); \
      chr = (unsigned char *) buffer; \