diff options
author | kp <kp@FreeBSD.org> | 2016-04-29 20:19:41 +0000 |
---|---|---|
committer | kp <kp@FreeBSD.org> | 2016-04-29 20:19:41 +0000 |
commit | 3f7a5f21485e7540713ce7dce4f64e59f39b7bfb (patch) | |
tree | 9f466d4b31ff87d2014e15c5ed69191dd498534b /sys/fs | |
parent | f33895ae7171cb60f5bc04b2941cb78d5621fd55 (diff) | |
download | FreeBSD-src-3f7a5f21485e7540713ce7dce4f64e59f39b7bfb.zip FreeBSD-src-3f7a5f21485e7540713ce7dce4f64e59f39b7bfb.tar.gz |
MFC r298664
msdosfs: Prevent buffer overflow when expanding win95 names
In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().
We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.
PR: 204643
Differential Revision: https://reviews.freebsd.org/D6015
Diffstat (limited to 'sys/fs')
-rw-r--r-- | sys/fs/msdosfs/direntry.h | 2 | ||||
-rw-r--r-- | sys/fs/msdosfs/msdosfs_conv.c | 30 |
2 files changed, 23 insertions, 9 deletions
diff --git a/sys/fs/msdosfs/direntry.h b/sys/fs/msdosfs/direntry.h index 86b6fbb..facec30 100644 --- a/sys/fs/msdosfs/direntry.h +++ b/sys/fs/msdosfs/direntry.h @@ -145,7 +145,7 @@ struct msdosfsmount; char *mbnambuf_flush(struct mbnambuf *nbp, struct dirent *dp); void mbnambuf_init(struct mbnambuf *nbp); -void mbnambuf_write(struct mbnambuf *nbp, char *name, int id); +int mbnambuf_write(struct mbnambuf *nbp, char *name, int id); int dos2unixfn(u_char dn[11], u_char *un, int lower, struct msdosfsmount *pmp); int unix2dosfn(const u_char *un, u_char dn[12], size_t unlen, u_int gen, diff --git a/sys/fs/msdosfs/msdosfs_conv.c b/sys/fs/msdosfs/msdosfs_conv.c index 6671afc..5e6c20d 100644 --- a/sys/fs/msdosfs/msdosfs_conv.c +++ b/sys/fs/msdosfs/msdosfs_conv.c @@ -678,7 +678,9 @@ win2unixfn(nbp, wep, chksum, pmp) switch (code) { case 0: *np = '\0'; - mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1); + if (mbnambuf_write(nbp, name, + (wep->weCnt & WIN_CNT) - 1) != 0) + return -1; return chksum; case '/': *np = '\0'; @@ -696,7 +698,9 @@ win2unixfn(nbp, wep, chksum, pmp) switch (code) { case 0: *np = '\0'; - mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1); + if (mbnambuf_write(nbp, name, + (wep->weCnt & WIN_CNT) - 1) != 0) + return -1; return chksum; case '/': *np = '\0'; @@ -714,7 +718,9 @@ win2unixfn(nbp, wep, chksum, pmp) switch (code) { case 0: *np = '\0'; - mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1); + if (mbnambuf_write(nbp, name, + (wep->weCnt & WIN_CNT) - 1) != 0) + return -1; return chksum; case '/': *np = '\0'; @@ -728,7 +734,8 @@ win2unixfn(nbp, wep, chksum, pmp) cp += 2; } *np = '\0'; - mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1); + if (mbnambuf_write(nbp, name, (wep->weCnt & WIN_CNT) - 1) != 0) + return -1; return chksum; } @@ -1030,7 +1037,7 @@ mbnambuf_init(struct mbnambuf *nbp) * This only penalizes portions of substrings that contain more than * WIN_CHARS bytes when they are first encountered. */ -void +int mbnambuf_write(struct mbnambuf *nbp, char *name, int id) { char *slot; @@ -1041,7 +1048,7 @@ mbnambuf_write(struct mbnambuf *nbp, char *name, int id) printf("msdosfs: non-decreasing id: id %d, last id %d\n", id, nbp->nb_last_id); #endif - return; + return (EINVAL); } /* Will store this substring in a WIN_CHARS-aligned slot. */ @@ -1052,17 +1059,24 @@ mbnambuf_write(struct mbnambuf *nbp, char *name, int id) #ifdef MSDOSFS_DEBUG printf("msdosfs: file name length %zu too large\n", newlen); #endif - return; + return (ENAMETOOLONG); } /* Shift suffix upwards by the amount length exceeds WIN_CHARS. */ - if (count > WIN_CHARS && nbp->nb_len != 0) + if (count > WIN_CHARS && nbp->nb_len != 0) { + if ((id * WIN_CHARS + count + nbp->nb_len) > + sizeof(nbp->nb_buf)) + return (ENAMETOOLONG); + bcopy(slot + WIN_CHARS, slot + count, nbp->nb_len); + } /* Copy in the substring to its slot and update length so far. */ bcopy(name, slot, count); nbp->nb_len = newlen; nbp->nb_last_id = id; + + return (0); } /* |