lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 4 Jan 2016 18:19:07 +0100
From:	Jan Kara <jack@...e.cz>
To:	Andrew Gabbasov <andrew_gabbasov@...tor.com>
Cc:	Jan Kara <jack@...e.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 2/7] udf: Check output buffer length when converting
 name to CS0

On Thu 24-12-15 10:25:33, Andrew Gabbasov wrote:
> If a name contains at least some characters with Unicode values
> exceeding single byte, the CS0 output should have 2 bytes per character.
> And if other input characters have single byte Unicode values, then
> the single input byte is converted to 2 output bytes, and the length
> of output becomes larger than the length of input. And if the input
> name is long enough, the output length may exceed the allocated buffer
> length.
> 
> All this means that conversion from UTF8 or NLS to CS0 requires
> checking of output length in order to stop when it exceeds the given
> output buffer size.
> 
> Signed-off-by: Andrew Gabbasov <andrew_gabbasov@...tor.com>

I have taken this patch to my tree with a slight modification that
udf_xxxtoCS0 functions return 0 when they would need to truncate the name.
That way we properly return ENAMETOOLONG when user tries to create name we
cannot store instead of silently truncating it.

								Honza
> ---
>  fs/udf/unicode.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
> index 95a224b..155f912 100644
> --- a/fs/udf/unicode.c
> +++ b/fs/udf/unicode.c
> @@ -177,17 +177,18 @@ int udf_CS0toUTF8(struct ustr *utf_o, const struct ustr *ocu_i)
>  static int udf_UTF8toCS0(dstring *ocu, struct ustr *utf, int length)
>  {
>  	unsigned c, i, max_val, utf_char;
> -	int utf_cnt, u_len;
> +	int utf_cnt, u_len, u_ch;
>  
>  	memset(ocu, 0, sizeof(dstring) * length);
>  	ocu[0] = 8;
>  	max_val = 0xffU;
> +	u_ch = 1;
>  
>  try_again:
>  	u_len = 0U;
>  	utf_char = 0U;
>  	utf_cnt = 0U;
> -	for (i = 0U; i < utf->u_len; i++) {
> +	for (i = 0U; (i < utf->u_len) && ((u_len + 1 + u_ch) < length); i++) {
>  		c = (uint8_t)utf->u_name[i];
>  
>  		/* Complete a multi-byte UTF-8 character */
> @@ -229,6 +230,7 @@ try_again:
>  			if (max_val == 0xffU) {
>  				max_val = 0xffffU;
>  				ocu[0] = (uint8_t)0x10U;
> +				u_ch = 2;
>  				goto try_again;
>  			}
>  			goto error_out;
> @@ -299,15 +301,16 @@ static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni,
>  	int len;
>  	unsigned i, max_val;
>  	uint16_t uni_char;
> -	int u_len;
> +	int u_len, u_ch;
>  
>  	memset(ocu, 0, sizeof(dstring) * length);
>  	ocu[0] = 8;
>  	max_val = 0xffU;
> +	u_ch = 1;
>  
>  try_again:
>  	u_len = 0U;
> -	for (i = 0U; i < uni->u_len; i++) {
> +	for (i = 0U; (i < uni->u_len) && ((u_len + 1 + u_ch) < length); i++) {
>  		len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char);
>  		if (!len)
>  			continue;
> @@ -320,6 +323,7 @@ try_again:
>  		if (uni_char > max_val) {
>  			max_val = 0xffffU;
>  			ocu[0] = (uint8_t)0x10U;
> +			u_ch = 2;
>  			goto try_again;
>  		}
>  
> -- 
> 2.1.0
> 
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ