udf: Reject read requests with an invalid length

- If the size is negative or if rounding it up to a multiple of the block size overflows, fail the read request with ERANGE. - While here, add a sanity check that the ICB length for the root directory is at least as long as a minimum-sized file entry. PR: 257768 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41220
2023-08-04 16:40:19 -07:00 · 2023-08-04 16:40:19 -07:00 · c70e615051
commit c70e615051
parent 9e6941a2c7
2 changed files with 8 additions and 1 deletions
--- a/sys/fs/udf/udf.h
+++ b/sys/fs/udf/udf.h
@ -97,8 +97,10 @@ struct ifid {
 MALLOC_DECLARE(M_UDFFENTRY);

 static __inline int
-udf_readdevblks(struct udf_mnt *udfmp, int sector, int size, struct buf **bp)
+udf_readdevblks(struct udf_mnt *udfmp, daddr_t sector, int size, struct buf **bp)
 {
+	if (size < 0 || size + udfmp->bmask < size)
+		return (ERANGE);
 	return (RDSECTOR(udfmp->im_devvp, sector,
 			 (size + udfmp->bmask) & ~udfmp->bmask, bp));
 }
--- a/sys/fs/udf/udf_vfsops.c
+++ b/sys/fs/udf/udf_vfsops.c
@ -482,6 +482,11 @@ udf_mountfs(struct vnode *devvp, struct mount *mp)
 	 */
 	sector = le32toh(udfmp->root_icb.loc.lb_num) + udfmp->part_start;
 	size = le32toh(udfmp->root_icb.len);
+	if (size < UDF_FENTRY_SIZE) {
+		printf("Invalid root directory file entry length %u\n",
+		    size);
+		goto bail;
+	}
 	if ((error = udf_readdevblks(udfmp, sector, size, &bp)) != 0) {
 		printf("Cannot read sector %d\n", sector);
 		goto bail;