[src/trunk]: src/usr.sbin/makefs PR/45285: Martin Matuska: makefs does not pr...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/01e90ec97352
branches:  trunk
changeset: 768648:01e90ec97352
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Aug 23 17:09:11 2011 +0000

description:
PR/45285: Martin Matuska: makefs does not properly convert ISO level 1 and 2
filenames (buffer overflow)

makefs does not properly verify the maximum filename length in the
special "." case for both ISO level 1 and ISO level 2 filename
conversion.  This creates broken images or causes a buffer overflow
(ISO level 2).

ISO level 1:
If a filename contains only dots or up to 8 characters followed by
dots the 8+3 limit check doesn't work.

ISO level 2:
If a filename contains a dot in the first 30 characters and a dot
on the 30th character, the length limit check doesn't work and the
buffer is overflowed.

$ mkdir level1
$ touch level1/12345............
$ makefs -t cd9660 -o isolevel=1 test.iso level1

$ mkdir level2
$ touch level2/1234567890.2345678901234567.....34567890123456789012345
$ makefs -t cd9660 -o isolevel=2 test.iso level2

diffstat:

 usr.sbin/makefs/cd9660.c |  13 +++++--------
 1 files changed, 5 insertions(+), 8 deletions(-)

diffs (55 lines):

diff -r 40033f68cc67 -r 01e90ec97352 usr.sbin/makefs/cd9660.c
--- a/usr.sbin/makefs/cd9660.c  Tue Aug 23 17:00:36 2011 +0000
+++ b/usr.sbin/makefs/cd9660.c  Tue Aug 23 17:09:11 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: cd9660.c,v 1.31 2011/08/06 23:25:19 christos Exp $     */
+/*     $NetBSD: cd9660.c,v 1.32 2011/08/23 17:09:11 christos Exp $     */
 
 /*
  * Copyright (c) 2005 Daniel Watt, Walter Deignan, Ryan Gabrys, Alan
@@ -103,7 +103,7 @@
 
 #include <sys/cdefs.h>
 #if defined(__RCSID) && !defined(__lint)
-__RCSID("$NetBSD: cd9660.c,v 1.31 2011/08/06 23:25:19 christos Exp $");
+__RCSID("$NetBSD: cd9660.c,v 1.32 2011/08/23 17:09:11 christos Exp $");
 #endif  /* !__lint */
 
 #include <string.h>
@@ -1637,7 +1637,7 @@
 
        while (*oldname != '\0') {
                /* Handle period first, as it is special */
-               if (*oldname == '.') {
+               if (*oldname == '.' && extlen < 3) {
                        if (found_ext) {
                                *newname++ = '_';
                                extlen ++;
@@ -1652,8 +1652,7 @@
                            *oldname == ',' && strlen(oldname) == 4)
                                break;
                        /* Enforce 12.3 / 8 */
-                       if (((namelen == 8) && !found_ext) ||
-                           (found_ext && extlen == 3)) {
+                       if (namelen == 8 && !found_ext)
                                break;
                        }
 
@@ -1698,7 +1697,7 @@
        int extlen = 0;
        int found_ext = 0;
 
-       while (*oldname != '\0') {
+       while (*oldname != '\0' && namelen + extlen < 30) {
                /* Handle period first, as it is special */
                if (*oldname == '.') {
                        if (found_ext) {
@@ -1718,8 +1717,6 @@
                        if (diskStructure.archimedes_enabled &&
                            *oldname == ',' && strlen(oldname) == 4)
                                break;
-                       if ((namelen + extlen) == 30)
-                               break;
 
                         if (islower((unsigned char)*oldname))
                                *newname++ = toupper((unsigned char)*oldname);