Whamcloud - gitweb
git://git.whamcloud.com / tools / e2fsprogs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e241612)
LU-10205 libext2fs: fix buffer overrun in ext2fs_expand_extra_isize 75/29975/2
authorJeff Mahoney <jeffm@suse.com>
Tue, 7 Nov 2017 21:31:43 +0000 (16:31 -0500)
committerAndreas Dilger <andreas.dilger@intel.com>
Tue, 23 Jan 2018 05:37:42 +0000 (05:37 +0000)
In ext2fs_expand_extra_isize, we size buffer using 'size' but then
do the memcpy with the rounded-up size, which can overflow the buffer.

With MALLOC_CHECK_=2, I see:
Error in `../e2fsck/e2fsck': free(): invalid pointer: <addr>

Change-Id: I31be58de12d4d50646c7aa96959de0efc5c279c3
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-on: https://review.whamcloud.com/29975
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
lib/ext2fs/ext_attr.c patch | blob | history

diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index a9d0b62..3fb8d84 100644 (file)
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -1032,7 +1032,7 @@ retry:
                size = entry->e_value_size;
                entry_size = EXT2_EXT_ATTR_LEN(entry->e_name_len);
                i.name_index = entry->e_name_index;
-               error = ext2fs_get_mem(size, &buffer);
+               error = ext2fs_get_mem(EXT2_EXT_ATTR_SIZE(size), &buffer);
                if (error)
                        goto cleanup;
                error = ext2fs_get_mem(entry->e_name_len + 1, &b_entry_name);
Mirror of git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git