summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorAndrew Morton <akpm@osdl.org>2005-06-22 02:16:50 +0200
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-06-22 04:07:38 +0200
commite595447e177b39aa6c96baaa57b30cde2d8b9df7 (patch)
tree7c6c1be2e623fc3cefb1a0afcb51247293a393eb /security
parent[PATCH] isofs: remove debug stuff (diff)
downloadlinux-e595447e177b39aa6c96baaa57b30cde2d8b9df7.tar.xz
linux-e595447e177b39aa6c96baaa57b30cde2d8b9df7.zip
[PATCH] rock.c: handle corrupted directories
The bug in rock.c is that it's totally trusting of the contents of the directories. If the directory says there's a continuation 10000 bytes into this 4k block then we cheerily poke around in memory we don't own and oops. So change rock_continue() to apply various sanity checks, at least ensuring that the offset+length remain within the bounds for the header part of a struct rock_ridge directory entry. Note that the kernel can still overindex the buffer due to the variable size of the rock-ridge directory entries. We cannot check that in rock_continue() unless we go parse the directory entry's signature and work out its size. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions