mirror of
https://git.freebsd.org/ports.git
synced 2025-05-16 09:11:50 -04:00
4a84c93f31
repository. Note that CVE-2015-0247 had already been fixed in 1.42.12 proper. Security: 2a4bcd7d-bbb8-11e4-903c-080027ef73ec Security: CVE-2015-1572
31 lines
1.2 KiB
Text
31 lines
1.2 KiB
Text
From dab7435917698bb490cce61fc8be1be0a862cf66 Mon Sep 17 00:00:00 2001
|
|
From: "Darrick J. Wong" <darrick.wong@oracle.com>
|
|
Date: Sat, 25 Oct 2014 13:56:42 -0700
|
|
Subject: libext2fs: directory iteration mustn't walk off the buffer end
|
|
|
|
When we're iterating a directory, the loop control code reads the
|
|
length of the next directory record, failing to account for the fact
|
|
that there must be at least 8 bytes (the minimum size of a directory
|
|
entry) left in the buffer to read the next directory record. Fix the
|
|
loop conditional so that we don't read off the end of the buffer.
|
|
|
|
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
|
Reported-by: Sami Liedes <sami.liedes@iki.fi>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
|
|
index 589af69..0744ee8 100644
|
|
--- ./lib/ext2fs/dir_iterate.c
|
|
+++ ./lib/ext2fs/dir_iterate.c
|
|
@@ -202,7 +202,7 @@ int ext2fs_process_dir_block(ext2_filsys fs,
|
|
if (ctx->errcode)
|
|
return BLOCK_ABORT;
|
|
|
|
- while (offset < fs->blocksize) {
|
|
+ while (offset < fs->blocksize - 8) {
|
|
dirent = (struct ext2_dir_entry *) (ctx->buf + offset);
|
|
if (ext2fs_get_rec_len(fs, dirent, &rec_len))
|
|
return BLOCK_ABORT;
|
|
--
|
|
cgit v0.10.2
|
|
|