tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-09-25 10:47:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ext4Pkg: Fix global buffer overflow in Ext4ReadDir

Browse Source 
Directory entry structure can contain name_len bigger than size of "."
or "..", that's why CompareMem in such cases leads to global buffer
overflow. So there are two problems. The first is that statement doesn't
check cases when name_len != 0 but > 2 and the second is that we passing
big Length to CompareMem routine.
The correct way here is to check that name_len <= 2 and check for
null-terminator presence

Signed-off-by: Savva Mitrofanov <savvamtr@gmail.com>
This commit is contained in:
Savva Mitrofanov 2022-10-26 21:19:26 +06:00
parent fbb8595120
commit 7413548584
No known key found for this signature in database
GPG Key ID: 774924031750BF64
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Ext4Pkg/Ext4Dxe/Directory.c
View File

@ -491,11 +491,9 @@ Ext4ReadDir (
// Entry.name_len may be 0 if it's a nameless entry, like an unused entry
// or a checksum at the end of the directory block.
// memcmp (and CompareMem) return 0 when the passed length is 0.
IsDotOrDotDot = Entry.name_len != 0 &&
(CompareMem (Entry.name, ".", Entry.name_len) == 0 ||
CompareMem (Entry.name, "..", Entry.name_len) == 0);
IsDotOrDotDot = Entry.name_len <= 2 &&
((Entry.name[0] == '.') &&
(Entry.name[1] == '.' || Entry.name[1] == '\0'));
// When inode = 0, it's unused.
ShouldSkip = Entry.inode == 0 || IsDotOrDotDot;