FAT: buffer overflow with FAT12/16

Last commit 3831530da was intended "explicitly specify FAT12/16 root directory parsing buffer size, instead of relying on cluster size". Howver, the underlying function requires the size of the buffer in blocks, not in bytes, and instead of passing a double sector size a request for 1024 blocks is sent. This generates a buffer overflow with overwriting of other structure (in the case seen, USB structures were overwritten). Signed-off-by: N Stefano Babic <sbabic@denx.de> CC: Mikhail Zolotaryov <lebon@lebon.org.ua>

FAT: buffer overflow with FAT12/16
Last commit 3831530da was intended "explicitly specify FAT12/16 root directory parsing buffer size, instead of relying on cluster size". Howver, the underlying function requires the size of the buffer in blocks, not in bytes, and instead of passing a double sector size a request for 1024 blocks is sent. This generates a buffer overflow with overwriting of other structure (in the case seen, USB structures were overwritten). Signed-off-by: N Stefano Babic <sbabic@denx.de> CC: Mikhail Zolotaryov <lebon@lebon.org.ua>
11c8dd36 · Stefano Babic · Wolfgang Denk · 70994c79 · 11c8dd36
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/fat/fat.c fs/fat/fat.c +1 -1

未找到文件。
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -858,7 +858,7 @@ do_fat_read (const char *filename, void *buffer, unsigned long maxsize,
 		if (disk_read(cursect,
 				(mydata->fatsize == 32) ?
 				(mydata->clust_size) :
-				LINEAR_PREFETCH_SIZE,
+				LINEAR_PREFETCH_SIZE / SECTOR_SIZE,
 				do_fat_read_block) < 0) {
 			debug("Error: reading rootdir block\n");
 			return -1;