Re: [PATCH] fat: Read buffer overflow
From: Pekka Enberg
Date: Sat Aug 08 2009 - 02:56:41 EST
Hi Hirofumi-san,
Roel Kluin <roel.kluin@xxxxxxxxx> writes:
>> If len is less or equal to 0, this results in a read of s[-1].
>>
>> Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
>> ---
>> diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
>> index 6f27853..114ff6d 100644
>> --- a/fs/fat/namei_vfat.c
>> +++ b/fs/fat/namei_vfat.c
>> @@ -202,6 +202,9 @@ static inline int vfat_is_used_badchars(const wchar_t *s, int len)
>> {
>> int i;
>>
>> + if (len <= 0)
>> + return -EINVAL;
>> +
>> for (i = 0; i < len; i++)
>> if (vfat_bad_char(s[i]))
>> return -EINVAL;
On Sat, Aug 8, 2009 at 2:06 AM, OGAWA
Hirofumi<hirofumi@xxxxxxxxxxxxxxxxxx> wrote:
> Um..., what case is this possible? vfat_add_entry() checks (len == 0).
> And if xlate_to_uni() couldn't convert name, it should return the error.
Yes, but we pass "ulen" to vfat_is_used_badchars(). The value of
"ulen" is a returned in the "longlen" argument of xlate_to_uni() which
in turn is calculated as follows for the UTF-8 case:
int name_len = strlen(name);
*outlen = utf8s_to_utf16s(name, PATH_MAX, (wchar_t *) outname);
*outlen -= (name_len - len);
*longlen = *outlen;
Maybe "*outlen" can never be negative because of some invariants that
I don't see but it's so non-obvious to me that I'd like to see the
explicit check in vfat_is_used_badchars().
Pekka
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/