• Andrew Morton's avatar
    [PATCH] rock.c: handle corrupted directories · e595447e
    Andrew Morton authored
    The bug in rock.c is that it's totally trusting of the contents of the
    directories.  If the directory says there's a continuation 10000 bytes into
    this 4k block then we cheerily poke around in memory we don't own and oops.
    
    So change rock_continue() to apply various sanity checks, at least ensuring
    that the offset+length remain within the bounds for the header part of a
    struct rock_ridge directory entry.
    
    Note that the kernel can still overindex the buffer due to the variable size
    of the rock-ridge directory entries.  We cannot check that in rock_continue()
    unless we go parse the directory entry's signature and work out its size.
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    e595447e
rock.c 15.6 KB