From: Stefano Babic Date: Wed, 20 Oct 2010 06:51:45 +0000 (+0200) Subject: FAT: buffer overflow with FAT12/16 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=11c8dd36edcc82564a19dbd0103302df66d66db0;p=project%2Fbcm63xx%2Fu-boot.git FAT: buffer overflow with FAT12/16 Last commit 3831530dcb7b71329c272ccd6181f8038b6a6dd0a was intended "explicitly specify FAT12/16 root directory parsing buffer size, instead of relying on cluster size". Howver, the underlying function requires the size of the buffer in blocks, not in bytes, and instead of passing a double sector size a request for 1024 blocks is sent. This generates a buffer overflow with overwriting of other structure (in the case seen, USB structures were overwritten). Signed-off-by: Stefano Babic CC: Mikhail Zolotaryov --- diff --git a/fs/fat/fat.c b/fs/fat/fat.c index 744e961847..a75e4f258a 100644 --- a/fs/fat/fat.c +++ b/fs/fat/fat.c @@ -858,7 +858,7 @@ do_fat_read (const char *filename, void *buffer, unsigned long maxsize, if (disk_read(cursect, (mydata->fatsize == 32) ? (mydata->clust_size) : - LINEAR_PREFETCH_SIZE, + LINEAR_PREFETCH_SIZE / SECTOR_SIZE, do_fat_read_block) < 0) { debug("Error: reading rootdir block\n"); return -1;