packages/sleuthkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sleuthkit/0013-fix_oob_read13.patch
cherry530 0534e4cbef fix OOB read in hfs_dir_open_meta_cb 
Signed-off-by: cherry530 <xuping33@huawei.com>
(cherry picked from commit 56613e9603253a85c9bb19ca099ff6973043122c)
2022-07-30 10:03:21 +08:00

101 lines
4.0 KiB
Diff
Raw Blame History

From 6bac602fc47bd668fb0b8c14ce64c073ecc2de63 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 18 Jun 2021 13:52:41 +0200
Subject: [PATCH] fix_oob_read13
---
tsk/fs/hfs.c | 8 ++++----
tsk/fs/hfs_dent.c | 14 +++++++++++++-
tsk/fs/tsk_hfs.h | 2 +-
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 8ac63b016..95d178031 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -896,7 +896,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
/* save the info from this record unless it is too big */
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_ERR) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
@@ -1018,7 +1018,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
// rec_cnid = tsk_getu32(fs->endian, key->file_id);
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_LEAF_STOP) {
is_done = 1;
@@ -1064,7 +1064,7 @@ typedef struct {
static uint8_t
hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
HFS_CAT_GET_RECORD_OFFSET_DATA *offset_data = (HFS_CAT_GET_RECORD_OFFSET_DATA *)ptr;
@@ -1659,7 +1659,7 @@ hfs_cat_file_lookup(HFS_INFO * hfs, TSK_INUM_T inum, HFS_ENTRY * entry,
static uint8_t
hfs_find_highest_inum_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
if (cur_keylen < 6) {
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index 495588642..b88627e53 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -198,7 +198,7 @@ typedef struct {
static uint8_t
hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t nodesize,
TSK_OFF_T key_off, void *ptr)
{
HFS_DIR_OPEN_META_INFO *info = (HFS_DIR_OPEN_META_INFO *) ptr;
@@ -233,7 +233,19 @@ hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
cur_key->parent_cnid) > info->cnid) {
return HFS_BTREE_CB_LEAF_STOP;
}
+ // Need at least 2 bytes for key_len
+ if (cur_keylen < 2) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: cur_keylen value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_off2 = 2 + tsk_getu16(hfs->fs_info.endian, cur_key->key_len);
+
+ if ((nodesize < 2) || (rec_off2 >= nodesize - 2)) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: nodesize value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_type = tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2]);
// Catalog entry is for a file
diff --git a/tsk/fs/tsk_hfs.h b/tsk/fs/tsk_hfs.h
index 4437b1c5a..2530e0cfe 100644
--- a/tsk/fs/tsk_hfs.h
+++ b/tsk/fs/tsk_hfs.h
@@ -765,7 +765,7 @@ extern char hfs_is_hard_link(TSK_FS_INFO * fs, TSK_INUM_T inum);
* @param ptr Pointer to data that was passed into parent
*/
typedef uint8_t(*TSK_HFS_BTREE_CB) (HFS_INFO *, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr);
// return values for callback
#define HFS_BTREE_CB_IDX_LT 1 // current key is less than target (keeps looking in node)
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink