[PATCH 4/4] fs/iso9660: Incorrect check for entry boudary

Wed, 14 Dec 2022 13:08:42 -0800 

An entry consists of the entry info and the component area.
The entry info should take up 5 bytes instead of sizeof (*entry).
The area after the first 5 bytes is the component area. The code
uses the sizeof (*entry) to check the boundary which is incorrect.
Also, an entry may not have component record. Added a check for
for the component length before reading the component record.
Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
---
 grub-core/fs/iso9660.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 67aa8451c..af432ee82 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -662,10 +662,22 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
   else if (grub_strncmp ("SL", (char *) entry->sig, 2) == 0)
     {
       unsigned int pos = 1;
+      unsigned int csize;
 
-      /* The symlink is not stored as a POSIX symlink, translate it.  */
-      while (pos + sizeof (*entry) < entry->len)
+      /* The symlink is not stored as a POSIX symlink, translate it. */
+      while ((pos + GRUB_ISO9660_SUSP_HEADER_SZ) < entry->len)
        {
+         /*
+          * entry->len is GRUB_ISO9660_SUSP_HEADER_SZ plus the
+          * length of the 'Component Record'. The length of the
+          * record is 2 (pos and pos + 1) plus the actual record
+          * starting at pos + 2. pos stores the 'Component Flags',
+          * pos + 1 specifies the length of actual record.
+          */
+          csize = entry->data[pos + 1] + 2;
+          if (csize + GRUB_ISO9660_SUSP_HEADER_SZ > entry->len)
+            break;
+
          /* The current position is the `Component Flag'.  */
          switch (entry->data[pos] & 30)
            {
@@ -681,8 +693,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
                      return grub_errno;
                  }
 
-               add_part (ctx, (char *) &entry->data[pos + 2],
-                         entry->data[pos + 1]);
+               if (entry->data[pos + 1] > 0)
+                 {
+                   add_part (ctx, (char *) &entry->data[pos + 2],
+                             entry->data[pos + 1]);
+                 }
                ctx->was_continue = (entry->data[pos] & 1);
                break;
              }
-- 
2.35.1


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to