[src/trunk]: src/sys/fs/udf As pointed out by wiz@ prevent a possible attack ...

[reinoud <reinoud%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/8398f990b7e8
branches:  trunk
changeset: 332358:8398f990b7e8
user:      reinoud <reinoud%NetBSD.org@localhost>
date:      Wed Sep 17 19:47:05 2014 +0000

description:
As pointed out by wiz@ prevent a possible attack or corruption that results in
an endless loop of indirect descriptors being processed.

The number of indirect descriptors followed is now maximized.
While here, also fix a use-after-free bug!

diffstat:

 sys/fs/udf/udf.h      |   4 +++-
 sys/fs/udf/udf_subr.c |  11 ++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diffs (58 lines):

diff -r 3619811a3056 -r 8398f990b7e8 sys/fs/udf/udf.h
--- a/sys/fs/udf/udf.h  Wed Sep 17 16:49:20 2014 +0000
+++ b/sys/fs/udf/udf.h  Wed Sep 17 19:47:05 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udf.h,v 1.46 2013/10/18 19:56:55 christos Exp $ */
+/* $NetBSD: udf.h,v 1.47 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -128,6 +128,8 @@
 #define UDF_DISC_SLACK         (128)                   /* picked, at least 64 kb or 128 */
 #define UDF_ISO_VRS_SIZE       (32*2048)               /* 32 ISO `sectors' */
 
+#define UDF_MAX_INDIRS_FOLLOW  1024                    /* picked */
+
 
 /* structure space */
 #define UDF_ANCHORS            4       /* 256, 512, N-256, N */
diff -r 3619811a3056 -r 8398f990b7e8 sys/fs/udf/udf_subr.c
--- a/sys/fs/udf/udf_subr.c     Wed Sep 17 16:49:20 2014 +0000
+++ b/sys/fs/udf/udf_subr.c     Wed Sep 17 19:47:05 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $ */
+/* $NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -29,7 +29,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $");
 #endif /* not lint */
 
 
@@ -5290,6 +5290,7 @@
        uint32_t lb_size, sector, dummy;
        int udf_file_type, dscr_type, strat, strat4096, needs_indirect;
        int slot, eof, error;
+       int num_indir_followed = 0;
 
        DPRINTF(NODE, ("udf_get_node called\n"));
        *udf_noderes = udf_node = NULL;
@@ -5392,8 +5393,12 @@
                /* if dealing with an indirect entry, follow the link */
                if (dscr_type == TAGID_INDIRECTENTRY) {
                        needs_indirect = 0;
+                       icb_loc = dscr->inde.indirect_icb;
                        udf_free_logvol_dscr(ump, &icb_loc, dscr);
-                       icb_loc = dscr->inde.indirect_icb;
+                       if (++num_indir_followed > UDF_MAX_INDIRS_FOLLOW) {
+                               error = EMLINK;
+                               break;
+                       }
                        continue;
                }