From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 26 Aug 2020 20:29:29 +0000 (-0400)
Subject: libext2fs: fix potential buffer overrun in __get_dirent_tail()
X-Git-Tag: v1.45.7~44
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=7b63656df911172efea39295266501cdd91869d7;p=tools%2Fe2fsprogs.git

libext2fs: fix potential buffer overrun in __get_dirent_tail()

If the file system is corrupted, there is a potential of a read-only
buffer overrun.  Fortunately, we don't actually use the result of that
pointer dereference, and the overrun is at most 64k.

Google-Bug-Id: #158564737
Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index 54b53a3..9b0b790 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
 	d = dirent;
 	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
 
-	rec_len = translate(d->rec_len);
 	while ((void *) d < top) {
+		rec_len = translate(d->rec_len);
 		if ((rec_len < 8) || (rec_len & 0x03))
 			return EXT2_ET_DIR_CORRUPTED;
 		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
-		rec_len = translate(d->rec_len);
 	}
 
 	if ((char *)d > ((char *)dirent + fs->blocksize))