valid_reparse_data() would read past the end of the reparse point buffer
if it was passed a malformed reparse point that had the tag for a
mountpoint or a symlink but had a data buffer smaller than expected.
Fix this by validating the buffer size.
Signed-off-by: Eric Biggers <ebigge...@gmail.com>
---
libntfs-3g/reparse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libntfs-3g/reparse.c b/libntfs-3g/reparse.c
index 354f7bb..b0f96ae 100644
--- a/libntfs-3g/reparse.c
+++ b/libntfs-3g/reparse.c
@@ -446,6 +446,11 @@ static BOOL valid_reparse_data(ntfs_inode *ni,
if (ok) {
switch (reparse_attr->reparse_tag) {
case IO_REPARSE_TAG_MOUNT_POINT :
+ if (size < sizeof(REPARSE_POINT) +
+ sizeof(struct MOUNT_POINT_REPARSE_DATA)) {
+ ok = FALSE;
+ break;
+ }
mount_point_data = (const struct
MOUNT_POINT_REPARSE_DATA*)
reparse_attr->reparse_data;
offs = le16_to_cpu(mount_point_data->subst_name_offset);
@@ -458,6 +463,11 @@ static BOOL valid_reparse_data(ntfs_inode *ni,
ok = FALSE;
break;
case IO_REPARSE_TAG_SYMLINK :
+ if (size < sizeof(REPARSE_POINT) +
+ sizeof(struct SYMLINK_REPARSE_DATA)) {
+ ok = FALSE;
+ break;
+ }
symlink_data = (const struct SYMLINK_REPARSE_DATA*)
reparse_attr->reparse_data;
offs = le16_to_cpu(symlink_data->subst_name_offset);
--
2.9.3
------------------------------------------------------------------------------
_______________________________________________
ntfs-3g-devel mailing list
ntfs-3g-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
