From: Theodore Ts'o <tytso@mit.edu>
Date: Sun, 23 Jul 2017 04:45:05 +0000 (-0400)
Subject: debugfs: add sanity checking to the string_to_inode() utility function
X-Git-Tag: v1.43.5~25
X-Git-Url: https://git.whamcloud.com/gitweb?a=commitdiff_plain;h=393df147698962761824179c00840336caf3ffd8;p=tools%2Fe2fsprogs.git

debugfs: add sanity checking to the string_to_inode() utility function

Otherwise it's possible for a corrupt file system or bad user input to
cause debugfs to crash if the resulting inode number is insanely
large.

This problem was found using American Fuzzy Lop.

Reported-by: Adam Buchbinder <abuchbinder@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/debugfs/util.c b/debugfs/util.c
index bd5de79..5f101f4 100644
--- a/debugfs/util.c
+++ b/debugfs/util.c
@@ -119,7 +119,7 @@ ext2_ino_t string_to_inode(char *str)
 	 */
 	if ((len > 2) && (str[0] == '<') && (str[len-1] == '>')) {
 		ino = strtoul(str+1, &end, 0);
-		if (*end=='>')
+		if (*end=='>' && (ino <= current_fs->super->s_inodes_count))
 			return ino;
 	}
 
@@ -128,6 +128,11 @@ ext2_ino_t string_to_inode(char *str)
 		com_err(str, retval, 0);
 		return 0;
 	}
+	if (ino > current_fs->super->s_inodes_count) {
+		com_err(str, 0, "resolves to an illegal inode number: %u\n",
+			ino);
+		return 0;
+	}
 	return ino;
 }