Hi,
On Wed, 18 Jan 2023 08:23:56 +0000 Lidong Chen <lidong.c...@oracle.com> wrote:
> Added a check for the SP entry data boundary before reading it.
>
> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
> Reviewed-by: Thomas Schmitt <scdbac...@gmx.net>
> ---
> grub-core/fs/iso9660.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
> index 65c8862b6..c6d65fc22 100644
> --- a/grub-core/fs/iso9660.c
> +++ b/grub-core/fs/iso9660.c
> @@ -409,6 +409,9 @@ set_rockridge (struct grub_iso9660_data *data)
> if (!sua_size)
> return GRUB_ERR_NONE;
>
> + if (sua_size < GRUB_ISO9660_SUSP_HEADER_SZ)
> + return grub_error (GRUB_ERR_BAD_FS, "invalid rock ridge entry size");
> +
> sua = grub_malloc (sua_size);
> if (! sua)
> return grub_errno;
> @@ -435,8 +438,17 @@ set_rockridge (struct grub_iso9660_data *data)
> rootnode.have_symlink = 0;
> rootnode.dirents[0] = data->voldesc.rootdir;
>
> - /* The 2nd data byte stored how many bytes are skipped every time
> - to get to the SUA (System Usage Area). */
> + /* The size of SP (version 1) is fixed to 7. */
> + if (sua_size < 7 || entry->len < 7)
> + {
> + grub_free (sua);
> + return grub_error (GRUB_ERR_BAD_FS, "corrupted rock ridge entry");
> + }
> +
> + /*
> + * The 2nd data byte stored how many bytes are skipped every time
> + * to get to the SUA (System Usage Area).
> + */
> data->susp_skip = entry->data[2];
> entry = (struct grub_iso9660_susp_entry *) ((char *) entry +
> entry->len);
>
> --
> 2.35.1
Reviewed-by: Thomas Schmitt <scdbac...@gmx.net>
My minor objections towards v1 are now addressed.
Have a nice day :)
Thomas
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
