Merge from NetBSD:

Fix a panic that occurred when trying to traverse a corrupt msdosfs filesystem. With this particular corruption, the code in pcbmap() would compute an offset into an array that was way out of bounds, so check the bounds before trying to access and return an error if the offset would be out of bounds. Submitted by: Xin LI
author: tjr <tjr@FreeBSD.org> 2004-09-08 10:57:09 +0000
committer: tjr <tjr@FreeBSD.org> 2004-09-08 10:57:09 +0000
commit: 1d085394336dc06a0fd195ff4225080701b6fa5f (patch)
tree: 26f2de1beeff85b388bd96866ea8038c505d077f /sys/fs/msdosfs/msdosfs_fat.c
parent: 8337118014694f7f25c0fe0425553914b6ae882a (diff)
download: FreeBSD-src-1d085394336dc06a0fd195ff4225080701b6fa5f.zip
FreeBSD-src-1d085394336dc06a0fd195ff4225080701b6fa5f.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/fs/msdosfs/msdosfs_fat.c b/sys/fs/msdosfs/msdosfs_fat.c
index 394c9ec..8c11423 100644
--- a/sys/fs/msdosfs/msdosfs_fat.c
+++ b/sys/fs/msdosfs/msdosfs_fat.c
@@ -237,6 +237,11 @@ pcbmap(dep, findcn, bnp, cnp, sp)
 			bp_bn = bn;
 		}
 		prevcn = cn;
+		if (bo >= bsize) {
+			if (bp)
+				brelse(bp);
+			return (EIO);
+		}
 		if (FAT32(pmp))
 			cn = getulong(&bp->b_data[bo]);
 		else
author	tjr <tjr@FreeBSD.org>	2004-09-08 10:57:09 +0000
committer	tjr <tjr@FreeBSD.org>	2004-09-08 10:57:09 +0000
commit	1d085394336dc06a0fd195ff4225080701b6fa5f (patch)
tree	26f2de1beeff85b388bd96866ea8038c505d077f /sys/fs/msdosfs/msdosfs_fat.c
parent	8337118014694f7f25c0fe0425553914b6ae882a (diff)
download	FreeBSD-src-1d085394336dc06a0fd195ff4225080701b6fa5f.zip FreeBSD-src-1d085394336dc06a0fd195ff4225080701b6fa5f.tar.gz