lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080908133505.GA3031@alice>
Date:	Mon, 8 Sep 2008 15:35:05 +0200
From:	Eric Sesterhenn <snakebyte@....de>
To:	linux-kernel@...r.kernel.org
Cc:	zippel@...ux-m68k.org, akpm@...ux-foundation.org
Subject: [Patch] hfs: fix namelength memory corruption

hi,

this is basically the same as
hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch.
We use the length parameter for a memcopy without checking it and
thereby corruption memory. 

Signed-off-by: Eric Sesterhenn <snakebyte@....de>

--- linux/fs/hfs/catalog.c.orig	2008-09-08 15:20:15.000000000 +0200
+++ linux/fs/hfs/catalog.c	2008-09-08 15:21:02.000000000 +0200
@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block
 
 	fd->search_key->cat.ParID = rec.thread.ParID;
 	len = fd->search_key->cat.CName.len = rec.thread.CName.len;
+	if (len > HFS_NAMELEN) {
+		printk(KERN_ERR "hfs: bad catalog namelength\n");
+		return -EIO;
+	}
 	memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
 	return hfs_brec_find(fd);
 }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ