From: Darrick J. Wong <darrick.wong@oracle.com>
Date: Sat, 25 Oct 2014 20:56:42 +0000 (-0700)
Subject: libext2fs: directory iteration mustn't walk off the buffer end
X-Git-Tag: v1.42.13~25
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=dab7435917698bb490cce61fc8be1be0a862cf66;p=tools%2Fe2fsprogs.git

libext2fs: directory iteration mustn't walk off the buffer end

When we're iterating a directory, the loop control code reads the
length of the next directory record, failing to account for the fact
that there must be at least 8 bytes (the minimum size of a directory
entry) left in the buffer to read the next directory record.  Fix the
loop conditional so that we don't read off the end of the buffer.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reported-by: Sami Liedes <sami.liedes@iki.fi>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
index 589af69..0744ee8 100644
--- a/lib/ext2fs/dir_iterate.c
+++ b/lib/ext2fs/dir_iterate.c
@@ -202,7 +202,7 @@ int ext2fs_process_dir_block(ext2_filsys fs,
 	if (ctx->errcode)
 		return BLOCK_ABORT;
 
-	while (offset < fs->blocksize) {
+	while (offset < fs->blocksize - 8) {
 		dirent = (struct ext2_dir_entry *) (ctx->buf + offset);
 		if (ext2fs_get_rec_len(fs, dirent, &rec_len))
 			return BLOCK_ABORT;