msdosfs: Prevent buffer overflow when expanding win95 names
ClosedPublic
Actions

Authored by kp on Apr 16 2016, 10:38 AM.

Details

Reviewers

jilles
pfg

Summary

In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving the data in the nbp->nb_buf buffer backwards to make room. That
code failed to check for overflows, leading to a stack overflow in win2unixfn().

We now check for this event, and mark the entire conversion as failed in that
case. This means we present the 8 character, dos style, name instead.

PR: 204643

Test Plan

Using this image:
https://people.freebsd.org/~kp/readdir.img.bz2

mdconfig readdir.img
mount_msdosfs -o longnames -D cp1251 -L ru_RU.UTF-8 /dev/md0 /mnt
ls /mnt

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kp updated this revision to Diff 15263.Apr 16 2016, 10:38 AM

kp retitled this revision from to msdosfs: Prevent buffer overflow when expanding win95 names.

kp updated this object.

kp edited the test plan for this revision. (Show Details)

kp set the repository for this revision to rS FreeBSD src repository - subversion.

Herald added a subscriber: imp. · View Herald TranscriptApr 16 2016, 10:38 AM

pfg added a reviewer: pfg.Apr 23 2016, 9:19 PM

I only started looking at it.
mbnambuf_write() doesn't exist on NetBSD (or OpenBSD), and it looks like a good place to check for the overflow.

Break up long lines.

Looks good to me.

This revision is now accepted and ready to land.Apr 24 2016, 1:21 PM

This is good because it looks like it will at least prevent the panic, but it may not make the files accessible since there need not be a short name. Adding a comment may be appropriate.

Regarding style, the new return value uses an uncommon convention (outside code related to Linux).

sys/fs/msdosfs/msdosfs_conv.c
1031	Returning a negative error number is Linux style. We usually return a positive error number or 0 if successful in this kind of function. (If there is both a non-trivial successful return value and an error number, the successful return value is passed by reference.) The caller usually stores the return value in a variable called `error`.
1042	Doh! It detected the problem but simply continued on anyway.

rename 'ret' to 'error'
Use positive error numbers

This revision now requires review to proceed.Apr 25 2016, 11:01 AM

In D5977#129496, @jilles wrote:

This is good because it looks like it will at least prevent the panic, but it may not make the files accessible since there need not be a short name. Adding a comment may be appropriate.

It's my understanding that there should always be a short filename (to keep the fs usable as a plain fat fs). I've deliberately chosen to use that one instead of truncating the name (as netbsd does) to avoid getting in the situation where two directory entries have the same (truncated) name.

In D5977#129534, @kristof wrote:

In D5977#129496, @jilles wrote:

This is good because it looks like it will at least prevent the panic, but it may not make the files accessible since there need not be a short name. Adding a comment may be appropriate.

It's my understanding that there should always be a short filename (to keep the fs usable as a plain fat fs). I've deliberately chosen to use that one instead of truncating the name (as netbsd does) to avoid getting in the situation where two directory entries have the same (truncated) name.

Searching more, it appears that short filenames are optional in NTFS, but not in FAT. This means that FreeBSD can still be affected by this problem but not in msdosfs.

The change looks good to me.

This revision is now accepted and ready to land.Apr 25 2016, 2:10 PM

Committed (with further style fixes suggested by Bruce Evans) as r298664.

emaste mentioned this in D6015: Pass SIOCSIFCAP request to vlan(4)'s parent if there is one..Apr 26 2016, 10:03 PM