Commit e7a4eb86 authored by Vegard Nossum's avatar Vegard Nossum Committed by Jan Kara

udf: limit the maximum number of TD redirections

Filesystem fuzzing revealed that we could get stuck in the
udf_process_sequence() loop.

The maximum limit was chosen arbitrarily but fixes the problem I saw.
Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 331221fa
...@@ -1585,6 +1585,13 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ ...@@ -1585,6 +1585,13 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
brelse(bh); brelse(bh);
} }
/*
* Maximum number of Terminating Descriptor redirections. The chosen number is
* arbitrary - just that we hopefully don't limit any real use of rewritten
* inode on write-once media but avoid looping for too long on corrupted media.
*/
#define UDF_MAX_TD_NESTING 64
/* /*
* Process a main/reserve volume descriptor sequence. * Process a main/reserve volume descriptor sequence.
* @block First block of first extent of the sequence. * @block First block of first extent of the sequence.
...@@ -1609,6 +1616,7 @@ static noinline int udf_process_sequence( ...@@ -1609,6 +1616,7 @@ static noinline int udf_process_sequence(
uint16_t ident; uint16_t ident;
long next_s = 0, next_e = 0; long next_s = 0, next_e = 0;
int ret; int ret;
unsigned int indirections = 0;
memset(vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH); memset(vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH);
...@@ -1679,6 +1687,12 @@ static noinline int udf_process_sequence( ...@@ -1679,6 +1687,12 @@ static noinline int udf_process_sequence(
} }
break; break;
case TAG_IDENT_TD: /* ISO 13346 3/10.9 */ case TAG_IDENT_TD: /* ISO 13346 3/10.9 */
if (++indirections > UDF_MAX_TD_NESTING) {
udf_err(sb, "too many TDs (max %u supported)\n", UDF_MAX_TD_NESTING);
brelse(bh);
return -EIO;
}
vds[VDS_POS_TERMINATING_DESC].block = block; vds[VDS_POS_TERMINATING_DESC].block = block;
if (next_e) { if (next_e) {
block = next_s; block = next_s;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment