68 lines
2.8 KiB
Diff
68 lines
2.8 KiB
Diff
From: Lubomir Rintel <lkundrak@v3.sk>
|
|
Date: Wed, 2 Dec 2009 22:49:11 +0100
|
|
Subject: [PATCH] Fix out-of bound writes
|
|
|
|
Firstly, packed attribute is added to the structure so that extension
|
|
is guarranteed to immediately follow name for the cross-name-extension
|
|
reads to succeed.
|
|
|
|
Secondly, writes into dir_entry->name that span through the extension as
|
|
well are split into two, so that FORTIFY_SOURCE's bound checking does
|
|
not abort dosfsck. There also was an off-by-one error in auto_rename()'s
|
|
sprintf().
|
|
|
|
diff -up dosfstools-3.0.6/src/check.c.bounds dosfstools-3.0.6/src/check.c
|
|
--- dosfstools-3.0.6/src/check.c.bounds 2009-10-04 09:15:58.000000000 +0200
|
|
+++ dosfstools-3.0.6/src/check.c 2009-12-06 12:32:42.922639364 +0100
|
|
@@ -131,7 +131,10 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, D
|
|
}
|
|
memset(de,0,sizeof(DIR_ENT));
|
|
while (1) {
|
|
- sprintf(de->name,pattern,curr_num);
|
|
+ char expanded[12];
|
|
+ sprintf(expanded, pattern, curr_num);
|
|
+ memcpy(de->name+4, expanded, 4);
|
|
+ memcpy(de->ext, expanded+4, 3);
|
|
clu_num = fs->root_cluster;
|
|
i = 0;
|
|
offset2 = cluster_start(fs,clu_num);
|
|
@@ -349,8 +352,11 @@ static void auto_rename(DOS_FILE *file)
|
|
first = file->parent ? file->parent->first : root;
|
|
number = 0;
|
|
while (1) {
|
|
- sprintf(file->dir_ent.name, "FSCK%04d", number / 1000);
|
|
- sprintf(file->dir_ent.ext, "%03d", number % 1000);
|
|
+ char num[8];
|
|
+ sprintf(num, "%07d", number);
|
|
+ memcpy(file->dir_ent.name, "FSCK", 4);
|
|
+ memcpy(file->dir_ent.name+4, num, 4);
|
|
+ memcpy(file->dir_ent.ext, num+4, 3);
|
|
for (walk = first; walk; walk = walk->next)
|
|
if (walk != file && !strncmp(walk->dir_ent.name,file->dir_ent.
|
|
name,MSDOS_NAME)) break;
|
|
diff -up dosfstools-3.0.6/src/dosfsck.h.bounds dosfstools-3.0.6/src/dosfsck.h
|
|
--- dosfstools-3.0.6/src/dosfsck.h.bounds 2009-10-04 09:15:58.000000000 +0200
|
|
+++ dosfstools-3.0.6/src/dosfsck.h 2009-12-06 12:31:49.042643675 +0100
|
|
@@ -149,7 +149,7 @@ typedef struct {
|
|
__u16 starthi; /* High 16 bits of cluster in FAT32 */
|
|
__u16 time,date,start;/* time, date and first cluster */
|
|
__u32 size; /* file size (in bytes) */
|
|
-} DIR_ENT;
|
|
+} __attribute__ ((packed)) DIR_ENT;
|
|
|
|
typedef struct _dos_file {
|
|
DIR_ENT dir_ent;
|
|
diff -up dosfstools-3.0.6/src/mkdosfs.c.bounds dosfstools-3.0.6/src/mkdosfs.c
|
|
--- dosfstools-3.0.6/src/mkdosfs.c.bounds 2009-10-04 09:15:58.000000000 +0200
|
|
+++ dosfstools-3.0.6/src/mkdosfs.c 2009-12-06 12:31:49.048645872 +0100
|
|
@@ -1254,7 +1254,8 @@ setup_tables (void)
|
|
if ( memcmp(volume_name, " ", 11) )
|
|
{
|
|
struct msdos_dir_entry *de = &root_dir[0];
|
|
- memcpy(de->name, volume_name, 11);
|
|
+ memcpy(de->name, volume_name, 8);
|
|
+ memcpy(de->ext, volume_name+8, 3);
|
|
de->attr = ATTR_VOLUME;
|
|
ctime = localtime(&create_time);
|
|
de->time = CT_LE_W((unsigned short)((ctime->tm_sec >> 1) +
|