CVS commit: src/sys/fs/udf

Wed, 17 Sep 2014 12:47:56 -0700 

Module Name:    src
Committed By:   reinoud
Date:           Wed Sep 17 19:47:05 UTC 2014

Modified Files:
        src/sys/fs/udf: udf.h udf_subr.c

Log Message:
As pointed out by wiz@ prevent a possible attack or corruption that results in
an endless loop of indirect descriptors being processed.

The number of indirect descriptors followed is now maximized.
While here, also fix a use-after-free bug!


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/sys/fs/udf/udf.h
cvs rdiff -u -r1.125 -r1.126 src/sys/fs/udf/udf_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/fs/udf/udf.h
diff -u src/sys/fs/udf/udf.h:1.46 src/sys/fs/udf/udf.h:1.47
--- src/sys/fs/udf/udf.h:1.46	Fri Oct 18 19:56:55 2013
+++ src/sys/fs/udf/udf.h	Wed Sep 17 19:47:05 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: udf.h,v 1.46 2013/10/18 19:56:55 christos Exp $ */
+/* $NetBSD: udf.h,v 1.47 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -128,6 +128,8 @@ extern int udf_verbose;
 #define UDF_DISC_SLACK		(128)			/* picked, at least 64 kb or 128 */
 #define UDF_ISO_VRS_SIZE	(32*2048)		/* 32 ISO `sectors' */
 
+#define UDF_MAX_INDIRS_FOLLOW	1024			/* picked */
+
 
 /* structure space */
 #define UDF_ANCHORS		4	/* 256, 512, N-256, N */

Index: src/sys/fs/udf/udf_subr.c
diff -u src/sys/fs/udf/udf_subr.c:1.125 src/sys/fs/udf/udf_subr.c:1.126
--- src/sys/fs/udf/udf_subr.c:1.125	Tue Jul 29 15:36:43 2014
+++ src/sys/fs/udf/udf_subr.c	Wed Sep 17 19:47:05 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $ */
+/* $NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -29,7 +29,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $");
 #endif /* not lint */
 
 
@@ -5290,6 +5290,7 @@ udf_get_node(struct udf_mount *ump, stru
 	uint32_t lb_size, sector, dummy;
 	int udf_file_type, dscr_type, strat, strat4096, needs_indirect;
 	int slot, eof, error;
+	int num_indir_followed = 0;
 
 	DPRINTF(NODE, ("udf_get_node called\n"));
 	*udf_noderes = udf_node = NULL;
@@ -5392,8 +5393,12 @@ udf_get_node(struct udf_mount *ump, stru
 		/* if dealing with an indirect entry, follow the link */
 		if (dscr_type == TAGID_INDIRECTENTRY) {
 			needs_indirect = 0;
-			udf_free_logvol_dscr(ump, &icb_loc, dscr);
 			icb_loc = dscr->inde.indirect_icb;
+			udf_free_logvol_dscr(ump, &icb_loc, dscr);
+			if (++num_indir_followed > UDF_MAX_INDIRS_FOLLOW) {
+				error = EMLINK;
+				break;
+			}
 			continue;
 		}

Reply via email to