Hi,
while constructing the long file name of a directory entry, it is
possible to access the longName array out of bounds.
Long file names in FAT are supported by additional "long filename"
directory entries. They are kept in reverse (from top to bottom)
with an additional 0x40 flag at the start, e.g. 0x43->0x02->0x01.
This would link three entries to form a long name.
As shown in this example, the index won't end at 0 but 1. Therefore,
the code subtracts 1... without checking if the specified index was
0 already.
NetBSD has a fix for this too, but rather ignores that entry.
I don't agree on that, after all the entry _is_ wrong. Therefore,
consider it erroneous and ask the user to remove the offending entry.
Tobias
Index: dir.c
===================================================================
RCS file: /cvs/src/sbin/fsck_msdos/dir.c,v
retrieving revision 1.23
diff -u -p -r1.23 dir.c
--- dir.c 18 Jun 2014 17:29:07 -0000 1.23
+++ dir.c 18 Jun 2014 19:02:03 -0000
@@ -534,6 +534,14 @@ readDosDirSection(int f, struct bootbloc
vallfn = NULL;
}
lidx = *p & LRNOMASK;
+ if (lidx == 0) {
+ if (!invlfn) {
+ invlfn = vallfn;
+ invcl = valcl;
+ }
+ vallfn = NULL;
+ continue;
+ }
t = longName + --lidx * 13;
for (k = 1; k < 11 && t < longName +
sizeof(longName); k += 2) {
if (!p[k] && !p[k + 1])
