From 3f3b771cb08c92f34e21326462be3330973f02a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= Date: Mon, 17 May 2021 15:33:04 +0300 Subject: [PATCH] Added consistency checks of index root The index root must lie within the space allocated for it. --- libntfs-3g/dir.c | 10 ++++++++++ libntfs-3g/index.c | 18 +++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/libntfs-3g/dir.c b/libntfs-3g/dir.c index e85c3c52..f3c14d8f 100644 --- a/libntfs-3g/dir.c +++ b/libntfs-3g/dir.c @@ -293,6 +293,16 @@ u64 ntfs_inode_lookup_by_name(ntfs_inode *dir_ni, (unsigned)index_block_size); goto put_err_out; } + if (((offsetof(INDEX_ROOT,index) + + le32_to_cpu(ir->index.allocated_size)) + > le32_to_cpu(ctx->attr->value_length)) + || (le32_to_cpu(ir->index.entries_offset) + > le32_to_cpu(ir->index.index_length)) + || (le32_to_cpu(ir->index.index_length) + > le32_to_cpu(ir->index.allocated_size))) { + ntfs_log_error("Index root is corrupt.\n"); + goto put_err_out; + } index_end = (u8*)&ir->index + le32_to_cpu(ir->index.index_length); /* The first index entry. */ ie = (INDEX_ENTRY*)((u8*)&ir->index + diff --git a/libntfs-3g/index.c b/libntfs-3g/index.c index 006a6ecd..e12cbafd 100644 --- a/libntfs-3g/index.c +++ b/libntfs-3g/index.c @@ -5,7 +5,7 @@ * Copyright (c) 2004-2005 Richard Russon * Copyright (c) 2005-2006 Yura Pakhuchiy * Copyright (c) 2005-2008 Szabolcs Szakacsits - * Copyright (c) 2007-2020 Jean-Pierre Andre + * Copyright (c) 2007-2021 Jean-Pierre Andre * * This program/include file is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as published @@ -673,6 +673,7 @@ int ntfs_index_lookup(const void *key, const int key_len, ntfs_index_context *ic INDEX_ROOT *ir; INDEX_ENTRY *ie; INDEX_BLOCK *ib = NULL; + ATTR_RECORD *a; int ret, err = 0; ntfs_log_trace("Entering\n"); @@ -712,10 +713,17 @@ int ntfs_index_lookup(const void *key, const int key_len, ntfs_index_context *ic } old_vcn = VCN_INDEX_ROOT_PARENT; - /* - * FIXME: check for both ir and ib that the first index entry is - * within the index block. - */ + a = icx->actx->attr; + if (((offsetof(INDEX_ROOT,index) + + le32_to_cpu(ir->index.index_length)) + > le32_to_cpu(a->value_length)) + || (le32_to_cpu(ir->index.entries_offset) + > le32_to_cpu(ir->index.index_length))) { + ntfs_log_error("Index root is corrupt in MFT record %lld.\n", + (long long)icx->ni->mft_no); + err = errno = ERANGE; + goto err_lookup; + } ret = ntfs_ie_lookup(key, key_len, icx, &ir->index, &vcn, &ie); if (ret == STATUS_ERROR) { err = errno;