diff options
| author | Andrew Morton <akpm@osdl.org> | 2005-06-21 17:16:50 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-06-21 19:07:38 -0700 |
| commit | e595447e177b39aa6c96baaa57b30cde2d8b9df7 (patch) | |
| tree | 7c6c1be2e623fc3cefb1a0afcb51247293a393eb /fs/isofs/rock.h | |
| parent | 9eb7f2c67c41d2cd730aedcd23e5baca09211d03 (diff) | |
| download | linux-stable-e595447e177b39aa6c96baaa57b30cde2d8b9df7.tar.gz linux-stable-e595447e177b39aa6c96baaa57b30cde2d8b9df7.tar.bz2 linux-stable-e595447e177b39aa6c96baaa57b30cde2d8b9df7.zip | |
[PATCH] rock.c: handle corrupted directories
The bug in rock.c is that it's totally trusting of the contents of the
directories. If the directory says there's a continuation 10000 bytes into
this 4k block then we cheerily poke around in memory we don't own and oops.
So change rock_continue() to apply various sanity checks, at least ensuring
that the offset+length remain within the bounds for the header part of a
struct rock_ridge directory entry.
Note that the kernel can still overindex the buffer due to the variable size
of the rock-ridge directory entries. We cannot check that in rock_continue()
unless we go parse the directory entry's signature and work out its size.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs/isofs/rock.h')
0 files changed, 0 insertions, 0 deletions