libext2fs: check EA value offset

Perform a little more sanity checking of EA value offsets so that we
don't crash while trying to load things from the filesystem.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in
index 2194a18..6b6d8b8 100644 (file)
--- a/lib/ext2fs/ext2_err.et.in
+++ b/lib/ext2fs/ext2_err.et.in
@@ -518,4 +518,7 @@ ec  EXT2_ET_MAGIC_EA_HANDLE,
 ec     EXT2_ET_INODE_IS_GARBAGE,
        "Inode seems to contain garbage"
 
+ec     EXT2_ET_EA_BAD_VALUE_OFFSET,
+       "Extended attribute has an invalid value offset"
+
        end

diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index f3fba96..96530f8 100644 (file)
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -624,6 +624,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
        void *ptr;
        unsigned int remain, prefix_len;
        errcode_t err;
+       unsigned int values_size = storage_size +
+                       ((char *)entries - (char *)value_start);
 
        x = handle->attrs;
        while (x->name)
@@ -648,6 +650,9 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle,
                if (entry->e_value_size > remain)
                        return EXT2_ET_EA_BAD_VALUE_SIZE;
 
+               if (entry->e_value_offs + entry->e_value_size > values_size)
+                       return EXT2_ET_EA_BAD_VALUE_OFFSET;
+
                /* e_value_block must be 0 in inode's ea */
                if (entry->e_value_block != 0)
                        return EXT2_ET_BAD_EA_BLOCK_NUM;