libext2fs: directory iteration mustn't walk off the buffer end

When we're iterating a directory, the loop control code reads the length of the next directory record, failing to account for the fact that there must be at least 8 bytes (the minimum size of a directory entry) left in the buffer to read the next directory record. Fix the loop conditional so that we don't read off the end of the buffer. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reported-by: Sami Liedes <sami.liedes@iki.fi> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Darrick J. Wong <darrick.wong@oracle.com> 2014-10-25 13:56:42 -0700
committer: Theodore Ts'o <tytso@mit.edu> 2014-11-04 11:39:51 -0500
commit: dab7435917698bb490cce61fc8be1be0a862cf66 (patch)
tree: 062272199fb3f135af0fb0728d9630412173f5fc /lib/ext2fs/dir_iterate.c
parent: 160f131deed7d3db2aa958051eef7ae8fafa8539 (diff)
download: e2fsprogs-dab7435917698bb490cce61fc8be1be0a862cf66.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ext2fs/dir_iterate.c b/lib/ext2fs/dir_iterate.c
index 589af692..0744ee85 100644
--- a/lib/ext2fs/dir_iterate.c
+++ b/lib/ext2fs/dir_iterate.c
@@ -202,7 +202,7 @@ int ext2fs_process_dir_block(ext2_filsys fs,
 	if (ctx->errcode)
 		return BLOCK_ABORT;
 
-	while (offset < fs->blocksize) {
+	while (offset < fs->blocksize - 8) {
 		dirent = (struct ext2_dir_entry *) (ctx->buf + offset);
 		if (ext2fs_get_rec_len(fs, dirent, &rec_len))
 			return BLOCK_ABORT;
author	Darrick J. Wong <darrick.wong@oracle.com>	2014-10-25 13:56:42 -0700
committer	Theodore Ts'o <tytso@mit.edu>	2014-11-04 11:39:51 -0500
commit	dab7435917698bb490cce61fc8be1be0a862cf66 (patch)
tree	062272199fb3f135af0fb0728d9630412173f5fc /lib/ext2fs/dir_iterate.c
parent	160f131deed7d3db2aa958051eef7ae8fafa8539 (diff)
download	e2fsprogs-dab7435917698bb490cce61fc8be1be0a862cf66.tar.gz