ref: a84a1b68d698d9a5cfa5efd55b057df7724996b2
parent: 358f3f8f49a50ea3f2032a31eb73f16411fad8a4
author: Kaho Ng <ngkaho1234@gmail.com>
date: Tue Jun 28 19:02:16 EDT 2016
ext4: fix possible access violation when copying name fields
--- a/include/ext4_types.h
+++ b/include/ext4_types.h
@@ -495,8 +495,7 @@
uint8_t name_len; /* Lower 8 bits of name length */
union ext4_dir_en_internal in;
-
- uint8_t name[EXT4_DIRECTORY_FILENAME_LEN]; /* Entry name */
+ uint8_t name[]; /* Entry name */
};
/* Structures for indexed directory */
--- a/src/ext4.c
+++ b/src/ext4.c
@@ -2949,6 +2949,7 @@
#define EXT4_DIR_ENTRY_OFFSET_TERM (uint64_t)(-1)
int r;
+ uint16_t name_length;
ext4_direntry *de = 0;
struct ext4_inode_ref dir;
struct ext4_dir_iter it;
@@ -2971,7 +2972,18 @@
goto Finish;
}
- memcpy(&d->de, it.curr, sizeof(ext4_direntry));
+ memset(&d->de.name, 0, sizeof(d->de.name));
+ name_length = ext4_dir_en_get_name_len(&d->f.mp->fs.sb,
+ it.curr);
+ memcpy(&d->de.name, it.curr->name, name_length);
+
+ /* Directly copying the content isn't safe for Big-endian targets*/
+ d->de.inode = ext4_dir_en_get_inode(it.curr);
+ d->de.entry_length = ext4_dir_en_get_entry_len(it.curr);
+ d->de.name_length = name_length;
+ d->de.inode_type = ext4_dir_en_get_inode_type(&d->f.mp->fs.sb,
+ it.curr);
+
de = &d->de;
ext4_dir_iterator_next(&it);