From 71e177a2a52a6253f03ca5218017e6b7a4a01ec6 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Sun, 10 Aug 2014 18:21:16 -0400 Subject: [PATCH] libext2fs: check EA value offset Perform a little more sanity checking of EA value offsets so that we don't crash while trying to load things from the filesystem. Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o --- lib/ext2fs/ext2_err.et.in | 3 +++ lib/ext2fs/ext_attr.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in index 2194a18..6b6d8b8 100644 --- a/lib/ext2fs/ext2_err.et.in +++ b/lib/ext2fs/ext2_err.et.in @@ -518,4 +518,7 @@ ec EXT2_ET_MAGIC_EA_HANDLE, ec EXT2_ET_INODE_IS_GARBAGE, "Inode seems to contain garbage" +ec EXT2_ET_EA_BAD_VALUE_OFFSET, + "Extended attribute has an invalid value offset" + end diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c index f3fba96..96530f8 100644 --- a/lib/ext2fs/ext_attr.c +++ b/lib/ext2fs/ext_attr.c @@ -624,6 +624,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, void *ptr; unsigned int remain, prefix_len; errcode_t err; + unsigned int values_size = storage_size + + ((char *)entries - (char *)value_start); x = handle->attrs; while (x->name) @@ -648,6 +650,9 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, if (entry->e_value_size > remain) return EXT2_ET_EA_BAD_VALUE_SIZE; + if (entry->e_value_offs + entry->e_value_size > values_size) + return EXT2_ET_EA_BAD_VALUE_OFFSET; + /* e_value_block must be 0 in inode's ea */ if (entry->e_value_block != 0) return EXT2_ET_BAD_EA_BLOCK_NUM; -- 1.8.3.1