libext2fs: ensure validate_entry doesn't read beyond blocksize

ext2fs_validate_entry would read beyond the end of the block to get
dirent->rec_len for certain arguments (like if blocksize ==
final_offset).  This patch adds a check so that doesn't happen, and
changes the types of the arguments to avoid a compiler warning.

Signed-off-by: Nic Case <number9652@yahoo.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
index ac5a31e..39d713b 100644 (file)
--- a/lib/ext2fs/dir_iterate.c
+++ b/lib/ext2fs/dir_iterate.c
@@ -64,13 +64,16 @@ errcode_t ext2fs_set_rec_len(ext2_filsys fs,
  * undeleted entry.  Returns 1 if the deleted entry looks valid, zero
  * if not valid.
  */
-static int ext2fs_validate_entry(ext2_filsys fs, char *buf, int offset,
-                                int final_offset)
+static int ext2fs_validate_entry(ext2_filsys fs, char *buf,
+                                unsigned int offset,
+                                unsigned int final_offset)
 {
        struct ext2_dir_entry *dirent;
        unsigned int rec_len;
+#define DIRENT_MIN_LENGTH 12
 
-       while (offset < final_offset) {
+       while ((offset < final_offset) &&
+              (offset <= fs->blocksize - DIRENT_MIN_LENGTH)) {
                dirent = (struct ext2_dir_entry *)(buf + offset);
                if (ext2fs_get_rec_len(fs, dirent, &rec_len))
                        return 0;