[Bug 204643] [msdosfs] [panic] Crash while accessing files with large, non-english names
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Mar 12 02:29:47 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204643
Kristof Provost <kp at freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kp at freebsd.org
--- Comment #2 from Kristof Provost <kp at freebsd.org> ---
The cause is fairly obvious. In msdosfs_readdir() we use dos2unixfn() to
translate the file name. The translation can increase the length of the
filename, presumably this happened with the non-english name in this case.
The output is stored in a (stored on the stack) struct dirent, where the d_name
has a maximum length of 255 bytes. dos2unixfn() has no length limit, so it can
overflow the d_name. This triggers the stack corruption protection.
Fortunately, or this might be an exploitable bug.
Fixing it is a little annoying, because it could conceivably lead to two
directory names being translated into the same string.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-fs
mailing list