From: Darrick J. Wong Date: Sun, 10 Aug 2014 22:21:16 +0000 (-0400) Subject: libext2fs: check EA value offset X-Git-Tag: v1.43-WIP-2015-05-18~243 X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=71e177a2a52a6253f03ca5218017e6b7a4a01ec6;p=tools%2Fe2fsprogs.git libext2fs: check EA value offset Perform a little more sanity checking of EA value offsets so that we don't crash while trying to load things from the filesystem. Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o --- diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in index 2194a18..6b6d8b8 100644 --- a/lib/ext2fs/ext2_err.et.in +++ b/lib/ext2fs/ext2_err.et.in @@ -518,4 +518,7 @@ ec EXT2_ET_MAGIC_EA_HANDLE, ec EXT2_ET_INODE_IS_GARBAGE, "Inode seems to contain garbage" +ec EXT2_ET_EA_BAD_VALUE_OFFSET, + "Extended attribute has an invalid value offset" + end diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c index f3fba96..96530f8 100644 --- a/lib/ext2fs/ext_attr.c +++ b/lib/ext2fs/ext_attr.c @@ -624,6 +624,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, void *ptr; unsigned int remain, prefix_len; errcode_t err; + unsigned int values_size = storage_size + + ((char *)entries - (char *)value_start); x = handle->attrs; while (x->name) @@ -648,6 +650,9 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, if (entry->e_value_size > remain) return EXT2_ET_EA_BAD_VALUE_SIZE; + if (entry->e_value_offs + entry->e_value_size > values_size) + return EXT2_ET_EA_BAD_VALUE_OFFSET; + /* e_value_block must be 0 in inode's ea */ if (entry->e_value_block != 0) return EXT2_ET_BAD_EA_BLOCK_NUM;