mirrors/ntfs-3g
0
0
Fork 0
mirror of https://git.code.sf.net/p/ntfs-3g/ntfs-3g.git synced 2024-11-23 10:04:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Validated minimum size of mountpoint/symlink reparse points

Browse Source 
valid_reparse_data() would read past the end of the reparse point buffer
if it was passed a malformed reparse point that had the tag for a
mountpoint or a symlink but had a data buffer smaller than expected.
Fix this by validating the buffer size.

(contributed by Eric Biggers)
This commit is contained in:
Jean-Pierre André 2017-02-11 10:00:34 +01:00
parent 3c5fb9b352
commit 376f4cbca7
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libntfs-3g/reparse.c
View File

@ -446,6 +446,11 @@ static BOOL valid_reparse_data(ntfs_inode *ni,
if (ok) {
switch (reparse_attr->reparse_tag) {
case IO_REPARSE_TAG_MOUNT_POINT :
if (size < sizeof(REPARSE_POINT) +
sizeof(struct MOUNT_POINT_REPARSE_DATA)) {
ok = FALSE;
break;
}
mount_point_data = (const struct MOUNT_POINT_REPARSE_DATA*)
reparse_attr->reparse_data;
offs = le16_to_cpu(mount_point_data->subst_name_offset);
@ -458,6 +463,11 @@ static BOOL valid_reparse_data(ntfs_inode *ni,
ok = FALSE;
break;
case IO_REPARSE_TAG_SYMLINK :
if (size < sizeof(REPARSE_POINT) +
sizeof(struct SYMLINK_REPARSE_DATA)) {
ok = FALSE;
break;
}
symlink_data = (const struct SYMLINK_REPARSE_DATA*)
reparse_attr->reparse_data;
offs = le16_to_cpu(symlink_data->subst_name_offset);