git://git.onelab.eu
/
linux-2.6.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
vserver 1.9.5.x5
[linux-2.6.git]
/
fs
/
isofs
/
rock.c
diff --git
a/fs/isofs/rock.c
b/fs/isofs/rock.c
index
19d999f
..
8bdd3e4
100644
(file)
--- a/
fs/isofs/rock.c
+++ b/
fs/isofs/rock.c
@@
-53,6
+53,7
@@
if(LEN & 1) LEN++; \
CHR = ((unsigned char *) DE) + LEN; \
LEN = *((unsigned char *) DE) - LEN; \
if(LEN & 1) LEN++; \
CHR = ((unsigned char *) DE) + LEN; \
LEN = *((unsigned char *) DE) - LEN; \
+ if (LEN<0) LEN=0; \
if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
{ \
LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \
{ \
LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \
@@
-73,6
+74,10
@@
offset1 = 0; \
pbh = sb_bread(DEV->i_sb, block); \
if(pbh){ \
offset1 = 0; \
pbh = sb_bread(DEV->i_sb, block); \
if(pbh){ \
+ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
+ brelse(pbh); \
+ goto out; \
+ } \
memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
brelse(pbh); \
chr = (unsigned char *) buffer; \
memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
brelse(pbh); \
chr = (unsigned char *) buffer; \
@@
-103,12
+108,13
@@
int get_rock_ridge_filename(struct iso_directory_record * de,
struct rock_ridge * rr;
int sig;
struct rock_ridge * rr;
int sig;
- while (len >
1
){ /* There may be one byte for padding somewhere */
+ while (len >
2
){ /* There may be one byte for padding somewhere */
rr = (struct rock_ridge *) chr;
rr = (struct rock_ridge *) chr;
- if (rr->len
== 0
) goto out; /* Something got screwed up here */
+ if (rr->len
< 3
) goto out; /* Something got screwed up here */
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
+ if (len < 0) goto out; /* corrupted isofs */
switch(sig){
case SIG('R','R'):
switch(sig){
case SIG('R','R'):
@@
-122,6
+128,7
@@
int get_rock_ridge_filename(struct iso_directory_record * de,
break;
case SIG('N','M'):
if (truncate) break;
break;
case SIG('N','M'):
if (truncate) break;
+ if (rr->len < 5) break;
/*
* If the flags are 2 or 4, this indicates '.' or '..'.
* We don't want to do anything with this, because it
/*
* If the flags are 2 or 4, this indicates '.' or '..'.
* We don't want to do anything with this, because it
@@
-186,12
+193,13
@@
parse_rock_ridge_inode_internal(struct iso_directory_record *de,
struct rock_ridge * rr;
int rootflag;
struct rock_ridge * rr;
int rootflag;
- while (len >
1
){ /* There may be one byte for padding somewhere */
+ while (len >
2
){ /* There may be one byte for padding somewhere */
rr = (struct rock_ridge *) chr;
rr = (struct rock_ridge *) chr;
- if (rr->len
== 0
) goto out; /* Something got screwed up here */
+ if (rr->len
< 3
) goto out; /* Something got screwed up here */
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
+ if (len < 0) goto out; /* corrupted isofs */
switch(sig){
#ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
switch(sig){
#ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
@@
-462,7
+470,7
@@
static int rock_ridge_symlink_readpage(struct file *file, struct page *page)
struct rock_ridge *rr;
if (!ISOFS_SB(inode->i_sb)->s_rock)
struct rock_ridge *rr;
if (!ISOFS_SB(inode->i_sb)->s_rock)
-
panic ("Cannot have symlink with high sierra variant of iso filesystem\n")
;
+
goto error
;
block = ei->i_iget5_block;
lock_kernel();
block = ei->i_iget5_block;
lock_kernel();
@@
-487,13
+495,15
@@
static int rock_ridge_symlink_readpage(struct file *file, struct page *page)
SETUP_ROCK_RIDGE(raw_inode, chr, len);
repeat:
SETUP_ROCK_RIDGE(raw_inode, chr, len);
repeat:
- while (len >
1
) { /* There may be one byte for padding somewhere */
+ while (len >
2
) { /* There may be one byte for padding somewhere */
rr = (struct rock_ridge *) chr;
rr = (struct rock_ridge *) chr;
- if (rr->len
== 0
)
+ if (rr->len
< 3
)
goto out; /* Something got screwed up here */
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
goto out; /* Something got screwed up here */
sig = isonum_721(chr);
chr += rr->len;
len -= rr->len;
+ if (len < 0)
+ goto out; /* corrupted isofs */
switch (sig) {
case SIG('R', 'R'):
switch (sig) {
case SIG('R', 'R'):
@@
-543,6
+553,7
@@
static int rock_ridge_symlink_readpage(struct file *file, struct page *page)
fail:
brelse(bh);
unlock_kernel();
fail:
brelse(bh);
unlock_kernel();
+ error:
SetPageError(page);
kunmap(page);
unlock_page(page);
SetPageError(page);
kunmap(page);
unlock_page(page);