shithub: lwext4

Download patch

ref: a84a1b68d698d9a5cfa5efd55b057df7724996b2
parent: 358f3f8f49a50ea3f2032a31eb73f16411fad8a4
author: Kaho Ng <[email protected]>
date: Tue Jun 28 19:02:16 EDT 2016

ext4: fix possible access violation when copying name fields

--- a/include/ext4_types.h
+++ b/include/ext4_types.h
@@ -495,8 +495,7 @@
 	uint8_t name_len;   /* Lower 8 bits of name length */
 
 	union ext4_dir_en_internal in;
-
-	uint8_t name[EXT4_DIRECTORY_FILENAME_LEN]; /* Entry name */
+	uint8_t name[]; /* Entry name */
 };
 
 /* Structures for indexed directory */
--- a/src/ext4.c
+++ b/src/ext4.c
@@ -2949,6 +2949,7 @@
 #define EXT4_DIR_ENTRY_OFFSET_TERM (uint64_t)(-1)
 
 	int r;
+	uint16_t name_length;
 	ext4_direntry *de = 0;
 	struct ext4_inode_ref dir;
 	struct ext4_dir_iter it;
@@ -2971,7 +2972,18 @@
 		goto Finish;
 	}
 
-	memcpy(&d->de, it.curr, sizeof(ext4_direntry));
+	memset(&d->de.name, 0, sizeof(d->de.name));
+	name_length = ext4_dir_en_get_name_len(&d->f.mp->fs.sb,
+					       it.curr);
+	memcpy(&d->de.name, it.curr->name, name_length);
+
+	/* Directly copying the content isn't safe for Big-endian targets*/
+	d->de.inode = ext4_dir_en_get_inode(it.curr);
+	d->de.entry_length = ext4_dir_en_get_entry_len(it.curr);
+	d->de.name_length = name_length;
+	d->de.inode_type = ext4_dir_en_get_inode_type(&d->f.mp->fs.sb,
+						      it.curr);
+
 	de = &d->de;
 
 	ext4_dir_iterator_next(&it);