2001-08-09 Roland McGrath <roland@frob.com>

	* inode.c (diskfs_get_translator): Fail with EFTYPE if the length
	field stored on disk is unreasonable.  Don't crash on ENOMEM.
	Use memcpy instead of bcopy.

2 files changed, 21 insertions, 8 deletions

diff --git a/ext2fs/inode.c b/ext2fs/inode.c
index 0485b71e..a3483c00 100644
--- a/ext2fs/inode.c
+++ b/ext2fs/inode.c
@@ -712,7 +712,7 @@ diskfs_get_translator (struct node *np, char **namep, unsigned *namelen)
   error_t err = 0;
   daddr_t blkno;
   unsigned datalen;
-  void *transloc;
+  const void *transloc;
 
   assert (sblock->s_creator_os == EXT2_OS_HURD);
 
@@ -726,10 +726,16 @@ diskfs_get_translator (struct node *np, char **namep, unsigned *namelen)
 
   datalen =
     ((unsigned char *)transloc)[0] + (((unsigned char *)transloc)[1] << 8);
-  *namep = malloc (datalen);
-  if (!*namep)
-    err = ENOMEM;
-  bcopy (transloc + 2, *namep, datalen);
+  if (datalen > block_size)
+    err = EFTYPE;		/* ? */
+  else
+    {
+      *namep = malloc (datalen);
+      if (!*namep)
+	err = ENOMEM;
+      else
+	memcpy (*namep, transloc + 2, datalen);
+    }
 
   diskfs_end_catch_exception ();
 
diff --git a/ufs/inode.c b/ufs/inode.c
index 2647754c..28f18dbd 100644
--- a/ufs/inode.c
+++ b/ufs/inode.c
@@ -602,7 +602,7 @@ diskfs_get_translator (struct node *np, char **namep, u_int *namelen)
   error_t err;
   daddr_t blkno;
   u_int datalen;
-  void *transloc;
+  const void *transloc;
 
   err = diskfs_catch_exception ();
   if (err)
@@ -613,8 +613,15 @@ diskfs_get_translator (struct node *np, char **namep, u_int *namelen)
   transloc = disk_image + fsaddr (sblock, blkno);
 
   datalen = *(u_int *)transloc;
-  *namep = malloc (datalen);
-  bcopy (transloc + sizeof (u_int), *namep, datalen);
+  if (datalen > sblock->fs_bsize)
+    err = EFTYPE;
+  else
+    {
+      *namep = malloc (datalen);
+      if (*namep == NULL)
+	err = ENOMEM;
+      memcpy (*namep, transloc + sizeof (u_int), datalen);
+    }
 
   diskfs_end_catch_exception ();