• Al Viro's avatar
    get_rock_ridge_filename(): handle malformed NM entries · b8500fc5
    Al Viro authored
    [ Upstream commit 99d82582 ]
    
    Payloads of NM entries are not supposed to contain NUL.  When we run
    into such, only the part prior to the first NUL goes into the
    concatenation (i.e. the directory entry name being encoded by a bunch
    of NM entries).  We do stop when the amount collected so far + the
    claimed amount in the current NM entry exceed 254.  So far, so good,
    but what we return as the total length is the sum of *claimed*
    sizes, not the actual amount collected.  And that can grow pretty
    large - not unlimited, since you'd need to put CE entries in
    between to be able to get more than the maximum that could be
    contained in one isofs directory entry / continuation chunk and
    we are stop once we'd encountered 32 CEs, but you can get about 8Kb
    easily.  And that's what will be passed to readdir callback as the
    name length.  8Kb __copy_to_user() from a buffer allocated by
    __get_free_page()
    
    Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
    b8500fc5
rock.c 18.4 KB