Commit 91c9c9ec authored by Jan Kara's avatar Jan Kara

udf: Fix off-by-one in volume descriptor sequence length

We pass one block beyond end of volume descriptor sequence into
process_sequence() as 'lastblock' instead of the last block of the
sequence. When the sequence is not terminated with TD descriptor, this
could lead to false errors due to invalid blocks in volume descriptor
sequence and thus unmountable volumes.
Acked-by: default avatarPali Rohár <pali.rohar@gmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent e1603b6e
...@@ -1658,7 +1658,7 @@ static noinline int udf_process_sequence( ...@@ -1658,7 +1658,7 @@ static noinline int udf_process_sequence(
next_e = le32_to_cpu( next_e = le32_to_cpu(
vdp->nextVolDescSeqExt.extLength); vdp->nextVolDescSeqExt.extLength);
next_e = next_e >> sb->s_blocksize_bits; next_e = next_e >> sb->s_blocksize_bits;
next_e += next_s; next_e += next_s - 1;
} }
break; break;
case TAG_IDENT_IUVD: /* ISO 13346 3/10.4 */ case TAG_IDENT_IUVD: /* ISO 13346 3/10.4 */
...@@ -1760,13 +1760,13 @@ static int udf_load_sequence(struct super_block *sb, struct buffer_head *bh, ...@@ -1760,13 +1760,13 @@ static int udf_load_sequence(struct super_block *sb, struct buffer_head *bh,
main_s = le32_to_cpu(anchor->mainVolDescSeqExt.extLocation); main_s = le32_to_cpu(anchor->mainVolDescSeqExt.extLocation);
main_e = le32_to_cpu(anchor->mainVolDescSeqExt.extLength); main_e = le32_to_cpu(anchor->mainVolDescSeqExt.extLength);
main_e = main_e >> sb->s_blocksize_bits; main_e = main_e >> sb->s_blocksize_bits;
main_e += main_s; main_e += main_s - 1;
/* Locate the reserve sequence */ /* Locate the reserve sequence */
reserve_s = le32_to_cpu(anchor->reserveVolDescSeqExt.extLocation); reserve_s = le32_to_cpu(anchor->reserveVolDescSeqExt.extLocation);
reserve_e = le32_to_cpu(anchor->reserveVolDescSeqExt.extLength); reserve_e = le32_to_cpu(anchor->reserveVolDescSeqExt.extLength);
reserve_e = reserve_e >> sb->s_blocksize_bits; reserve_e = reserve_e >> sb->s_blocksize_bits;
reserve_e += reserve_s; reserve_e += reserve_s - 1;
/* Process the main & reserve sequences */ /* Process the main & reserve sequences */
/* responsible for finding the PartitionDesc(s) */ /* responsible for finding the PartitionDesc(s) */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment