NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/44529: [PATCH] fsck_msdos crashes when verifying corrupt file system
>Number: 44529
>Category: bin
>Synopsis: [PATCH] fsck_msdos crashes when verifying corrupt file system
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 07 14:55:00 +0000 2011
>Originator: Martin Danielsson
>Release: N/A (see environment)
>Organization:
Sony Ericsson
>Environment:
The crash was encountered in the Android version of fsck_msdos (Donut, Android
2.0).
>Description:
This bug-report and patch is for an issue that I encountered during the
development of the Sony Ericsson X10 Android based phone. Since the version of
fsck_msdos used in Android is based on BSD you might be interested in this
patch as well.
The problem I encountered was that fsck_msdos crashed when verifying the file
system on some specific memory cards.
"When checking file system on a corrupted memory card, fsck_msdos
will sometimes crash. Crash is due to an unexpected sequence number
being read when parsing long file name entries, causing an invalid
pointer being used in overwriting the adjacent _GLOBAL_OFFSET_TABLE_.
Solution is to mark the invalid entry for deletion and prevent use of
the invalid pointer."
The provided patch should apply without problems to the latest version in CVS.
>How-To-Repeat:
The problem is hard to reproduce without applying the specific corruption by
hand. When the problem was analyzed I had a memory card given to me by a user
that triggered the crash.
>Fix:
--- dir_orig.c 2011-02-07 11:20:51.708888879 +0100
+++ dir.c 2011-02-07 11:28:00.327638983 +0100
@@ -529,7 +529,7 @@
vallfn = p;
valcl = cl;
} else if (shortSum != p[13]
- || lidx != (*p & LRNOMASK)) {
+ || lidx != (*p & LRNOMASK) ||
!(*p & LRNOMASK)) {
if (!invlfn) {
invlfn = vallfn;
invcl = valcl;
@@ -542,7 +542,8 @@
}
lidx = *p & LRNOMASK;
t = longName + --lidx * 13;
- for (k = 1; k < 11 && t < longName +
sizeof(longName); k += 2) {
+ for (k = 1; k < 11 && t < longName +
sizeof(longName)
+ && t >= longName; k += 2) {
if (!p[k] && !p[k + 1])
break;
*t++ = p[k];
@@ -553,7 +554,8 @@
t[-1] = '?';
}
if (k >= 11)
- for (k = 14; k < 26 && t < longName +
sizeof(longName); k += 2) {
+ for (k = 14; k < 26 && t < longName +
sizeof(longName)
+ && t >= longName; k +=
2) {
if (!p[k] && !p[k + 1])
break;
*t++ = p[k];
@@ -561,7 +563,8 @@
t[-1] = '?';
}
if (k >= 26)
- for (k = 28; k < 32 && t < longName +
sizeof(longName); k += 2) {
+ for (k = 28; k < 32 && t < longName +
sizeof(longName)
+ && t >= longName; k +=
2) {
if (!p[k] && !p[k + 1])
break;
*t++ = p[k];
Home |
Main Index |
Thread Index |
Old Index