cd9660: Add various length checks when parsing RRIP extensions
Needs ReviewPublic
Actions

Authored by jhb on Wed, May 20, 7:09 PM.

Details

Reviewers

emaste
des

Summary

Pass the length of a RockRidge attribute to the handler functions and
validate that length in each handler. If a parsing error is detected,
abort the entire parsing pass.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 73803
Build 70686: arc lint + arc unit

Event Timeline

jhb created this revision.Wed, May 20, 7:09 PM

Herald added a subscriber: imp. · View Herald TranscriptWed, May 20, 7:09 PM

jhb requested review of this revision.Wed, May 20, 7:09 PM

Harbormaster completed remote builds in B73292: Diff 178222.Wed, May 20, 7:09 PM

jhb added a parent revision: D57135: cd9660: Don't parse RRIP records whose length overflows the sector boundary.Wed, May 20, 7:09 PM

While the previous patch in this stack fixes a reproducer from Robert, this followup patch is intended as additional robustness. With both of these I was able to still mount a FreeBSD install CD and all of the attributes reported by find /mnt -ls were the same before and after the patches.

des added a subscriber: des.Fri, Jun 5, 3:32 PM

des added inline comments.

sys/fs/cd9660/cd9660_rrip.c
146–155	why is this not the loop initialization?

emaste added inline comments.Fri, Jun 5, 3:33 PM

sys/fs/cd9660/cd9660_rrip.c
516–519	Ought to have the check before `p->len_id` above

jhb added inline comments.Fri, Jun 5, 4:00 PM

sys/fs/cd9660/cd9660_rrip.c
146–155	Because it isn't the thing being iterated (pcomp) which would be the normal thing to set in the initializer. This is more like a TAILQ_FOREACH_SAFE(). The assignment here is more to pacify the compiler, but it isn't needed as the loop body always initializes `pcompn` before it can be used in the last clause. I haven't actually tried building without this assignment, perhaps modern compilers are smart enough to not warn?
516–519	Oops, yes.