From 5ce8941bf47291cd6ffe7cdb1797253f1cc3a86f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= Date: Fri, 5 Nov 2021 08:41:20 +0100 Subject: [PATCH] Made sure there is no null character in an attribute name (bis) When copying an attribute name which contains a null, it is truncated and this may lead to accessing non-allocated bytes when relying on the expected name length. Such (illegal) names must therefore be rejected. --- libntfs-3g/attrib.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c index 51c8536f..efb91943 100644 --- a/libntfs-3g/attrib.c +++ b/libntfs-3g/attrib.c @@ -452,8 +452,19 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni, const ATTR_TYPES type, if (!name) { if (a->name_length) { - name = ntfs_ucsndup((ntfschar*)((u8*)a + le16_to_cpu( - a->name_offset)), a->name_length); + ntfschar *attr_name; + + attr_name = (ntfschar*)((u8*)a + + le16_to_cpu(a->name_offset)); + /* A null character leads to illegal memory access */ + if (ntfs_ucsnlen(attr_name, a->name_length) + != a->name_length) { + ntfs_log_error("Null character in attribute" + " name in inode %lld\n", + (long long)ni->mft_no); + goto put_err_out; + } + name = ntfs_ucsndup(attr_name, a->name_length); if (!name) goto put_err_out; newname = name;