[Bug 204643] [msdosfs] [panic] Crash while accessing files with large, non-english names

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Mar 12 02:29:47 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204643

Kristof Provost <kp at freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kp at freebsd.org

--- Comment #2 from Kristof Provost <kp at freebsd.org> ---
The cause is fairly obvious. In msdosfs_readdir() we use dos2unixfn() to
translate the file name. The translation can increase the length of the
filename, presumably this happened with the non-english name in this case.

The output is stored in a (stored on the stack) struct dirent, where the d_name
has a maximum length of 255 bytes. dos2unixfn() has no length limit, so it can
overflow the d_name. This triggers the stack corruption protection.
Fortunately, or this might be an exploitable bug.

Fixing it is a little annoying, because it could conceivably lead to two
directory names being translated into the same string.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-fs mailing list