summaryrefslogtreecommitdiffstats
path: root/sys/fs
diff options
context:
space:
mode:
authorkp <kp@FreeBSD.org>2016-04-29 20:19:41 +0000
committerkp <kp@FreeBSD.org>2016-04-29 20:19:41 +0000
commit3f7a5f21485e7540713ce7dce4f64e59f39b7bfb (patch)
tree9f466d4b31ff87d2014e15c5ed69191dd498534b /sys/fs
parentf33895ae7171cb60f5bc04b2941cb78d5621fd55 (diff)
downloadFreeBSD-src-3f7a5f21485e7540713ce7dce4f64e59f39b7bfb.zip
FreeBSD-src-3f7a5f21485e7540713ce7dce4f64e59f39b7bfb.tar.gz
MFC r298664
msdosfs: Prevent buffer overflow when expanding win95 names In win2unixfn() we expand Windows 95 style long names. In some cases that requires moving the data in the nbp->nb_buf buffer backwards to make room. That code failed to check for overflows, leading to a stack overflow in win2unixfn(). We now check for this event, and mark the entire conversion as failed in that case. This means we present the 8 character, dos style, name instead. PR: 204643 Differential Revision: https://reviews.freebsd.org/D6015
Diffstat (limited to 'sys/fs')
-rw-r--r--sys/fs/msdosfs/direntry.h2
-rw-r--r--sys/fs/msdosfs/msdosfs_conv.c30
2 files changed, 23 insertions, 9 deletions
diff --git a/sys/fs/msdosfs/direntry.h b/sys/fs/msdosfs/direntry.h
index 86b6fbb..facec30 100644
--- a/sys/fs/msdosfs/direntry.h
+++ b/sys/fs/msdosfs/direntry.h
@@ -145,7 +145,7 @@ struct msdosfsmount;
char *mbnambuf_flush(struct mbnambuf *nbp, struct dirent *dp);
void mbnambuf_init(struct mbnambuf *nbp);
-void mbnambuf_write(struct mbnambuf *nbp, char *name, int id);
+int mbnambuf_write(struct mbnambuf *nbp, char *name, int id);
int dos2unixfn(u_char dn[11], u_char *un, int lower,
struct msdosfsmount *pmp);
int unix2dosfn(const u_char *un, u_char dn[12], size_t unlen, u_int gen,
diff --git a/sys/fs/msdosfs/msdosfs_conv.c b/sys/fs/msdosfs/msdosfs_conv.c
index 6671afc..5e6c20d 100644
--- a/sys/fs/msdosfs/msdosfs_conv.c
+++ b/sys/fs/msdosfs/msdosfs_conv.c
@@ -678,7 +678,9 @@ win2unixfn(nbp, wep, chksum, pmp)
switch (code) {
case 0:
*np = '\0';
- mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1);
+ if (mbnambuf_write(nbp, name,
+ (wep->weCnt & WIN_CNT) - 1) != 0)
+ return -1;
return chksum;
case '/':
*np = '\0';
@@ -696,7 +698,9 @@ win2unixfn(nbp, wep, chksum, pmp)
switch (code) {
case 0:
*np = '\0';
- mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1);
+ if (mbnambuf_write(nbp, name,
+ (wep->weCnt & WIN_CNT) - 1) != 0)
+ return -1;
return chksum;
case '/':
*np = '\0';
@@ -714,7 +718,9 @@ win2unixfn(nbp, wep, chksum, pmp)
switch (code) {
case 0:
*np = '\0';
- mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1);
+ if (mbnambuf_write(nbp, name,
+ (wep->weCnt & WIN_CNT) - 1) != 0)
+ return -1;
return chksum;
case '/':
*np = '\0';
@@ -728,7 +734,8 @@ win2unixfn(nbp, wep, chksum, pmp)
cp += 2;
}
*np = '\0';
- mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1);
+ if (mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1) != 0)
+ return -1;
return chksum;
}
@@ -1030,7 +1037,7 @@ mbnambuf_init(struct mbnambuf *nbp)
* This only penalizes portions of substrings that contain more than
* WIN_CHARS bytes when they are first encountered.
*/
-void
+int
mbnambuf_write(struct mbnambuf *nbp, char *name, int id)
{
char *slot;
@@ -1041,7 +1048,7 @@ mbnambuf_write(struct mbnambuf *nbp, char *name, int id)
printf("msdosfs: non-decreasing id: id %d, last id %d\n",
id, nbp->nb_last_id);
#endif
- return;
+ return (EINVAL);
}
/* Will store this substring in a WIN_CHARS-aligned slot. */
@@ -1052,17 +1059,24 @@ mbnambuf_write(struct mbnambuf *nbp, char *name, int id)
#ifdef MSDOSFS_DEBUG
printf("msdosfs: file name length %zu too large\n", newlen);
#endif
- return;
+ return (ENAMETOOLONG);
}
/* Shift suffix upwards by the amount length exceeds WIN_CHARS. */
- if (count > WIN_CHARS && nbp->nb_len != 0)
+ if (count > WIN_CHARS && nbp->nb_len != 0) {
+ if ((id * WIN_CHARS + count + nbp->nb_len) >
+ sizeof(nbp->nb_buf))
+ return (ENAMETOOLONG);
+
bcopy(slot + WIN_CHARS, slot + count, nbp->nb_len);
+ }
/* Copy in the substring to its slot and update length so far. */
bcopy(name, slot, count);
nbp->nb_len = newlen;
nbp->nb_last_id = id;
+
+ return (0);
}
/*
OpenPOWER on IntegriCloud