Page MenuHomeFreeBSD
Differential D57136

cd9660: Add various length checks when parsing RRIP extensions
ClosedPublic
Actions

Authored by jhb on May 20 2026, 7:09 PM.
Tags
None
Referenced Files
F160645541: D57136.id180309.diff
Fri, Jun 26, 11:07 AM
F160596335: D57136.id180309.diff
Fri, Jun 26, 1:04 AM
Unknown Object (File)
Thu, Jun 25, 10:51 AM
Unknown Object (File)
Thu, Jun 25, 9:27 AM
Unknown Object (File)
Wed, Jun 24, 7:43 AM
Unknown Object (File)
Wed, Jun 24, 5:12 AM
Unknown Object (File)
Fri, Jun 19, 2:26 PM
Unknown Object (File)
Fri, Jun 19, 3:21 AM
View All 20 Files
Subscribers
des
imp

Details

Reviewers
emaste
des
Commits
rG9cd0d6231311: cd9660: Add various length checks when parsing RRIP extensions
Summary

Pass the length of a RockRidge attribute to the handler functions and
validate that length in each handler. If a parsing error is detected,
abort the entire parsing pass.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 73292
Build 70175: arc lint + arc unit

Event Timeline

jhb created this revision.May 20 2026, 7:09 PM
Herald added a subscriber: imp. · View Herald TranscriptMay 20 2026, 7:09 PM
jhb requested review of this revision.May 20 2026, 7:09 PM
Harbormaster completed remote builds in B73292: Diff 178222.May 20 2026, 7:09 PM
jhb added a parent revision: D57135: cd9660: Don't parse RRIP records whose length overflows the sector boundary.May 20 2026, 7:09 PM
jhb added a comment.May 20 2026, 7:15 PM

While the previous patch in this stack fixes a reproducer from Robert, this followup patch is intended as additional robustness. With both of these I was able to still mount a FreeBSD install CD and all of the attributes reported by find /mnt -ls were the same before and after the patches.

des added a subscriber: des.Fri, Jun 5, 3:32 PM
des added inline comments.
sys/fs/cd9660/cd9660_rrip.c
146

why is this not the loop initialization?

emaste added inline comments.Fri, Jun 5, 3:33 PM
sys/fs/cd9660/cd9660_rrip.c
517–520

Ought to have the check before p->len_id above

jhb added inline comments.Fri, Jun 5, 4:00 PM
sys/fs/cd9660/cd9660_rrip.c
146

Because it isn't the thing being iterated (pcomp) which would be the normal thing to set in the initializer. This is more like a TAILQ_FOREACH_SAFE(). The assignment here is more to pacify the compiler, but it isn't needed as the loop body always initializes pcompn before it can be used in the last clause. I haven't actually tried building without this assignment, perhaps modern compilers are smart enough to not warn?

517–520

Oops, yes.

des accepted this revision.Fri, Jun 5, 4:20 PM

modulo fix for the issue @emaste raised

This revision is now accepted and ready to land.Fri, Jun 5, 4:20 PM
jhb updated this revision to Diff 179570.Wed, Jun 10, 2:12 PM

Fixups

This revision now requires review to proceed.Wed, Jun 10, 2:12 PM
Harbormaster completed remote builds in B73803: Diff 179570.Wed, Jun 10, 2:12 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mon, Jun 22, 4:47 PM
Closed by commit rG9cd0d6231311: cd9660: Add various length checks when parsing RRIP extensions (authored by jhb). · Explain Why
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG9cd0d6231311: cd9660: Add various length checks when parsing RRIP extensions.

Revision Contents
Changeset List

PathSize
sys/
fs/
cd9660/
181 lines
1 line

Diff 178222

View Options

sys/fs/cd9660/cd9660_rrip.c

Loading...
View Options

sys/fs/cd9660/iso_rrip.h

Loading...