From db3e93788908eb846131023f8db62286812b9792 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@gnu.org>
Date: Fri, 10 Aug 2001 04:42:07 +0000
Subject: 2001-08-09  Roland McGrath  <roland@frob.com>

	* inode.c (diskfs_get_translator): Fail with EFTYPE if the length
	field stored on disk is unreasonable.  Don't crash on ENOMEM.
	Use memcpy instead of bcopy.
---
 ext2fs/inode.c | 16 +++++++++++-----
 ufs/inode.c    | 13 ++++++++++---
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/ext2fs/inode.c b/ext2fs/inode.c
index 0485b71e..a3483c00 100644
--- a/ext2fs/inode.c
+++ b/ext2fs/inode.c
@@ -712,7 +712,7 @@ diskfs_get_translator (struct node *np, char **namep, unsigned *namelen)
   error_t err = 0;
   daddr_t blkno;
   unsigned datalen;
-  void *transloc;
+  const void *transloc;
 
   assert (sblock->s_creator_os == EXT2_OS_HURD);
 
@@ -726,10 +726,16 @@ diskfs_get_translator (struct node *np, char **namep, unsigned *namelen)
 
   datalen =
     ((unsigned char *)transloc)[0] + (((unsigned char *)transloc)[1] << 8);
-  *namep = malloc (datalen);
-  if (!*namep)
-    err = ENOMEM;
-  bcopy (transloc + 2, *namep, datalen);
+  if (datalen > block_size)
+    err = EFTYPE;		/* ? */
+  else
+    {
+      *namep = malloc (datalen);
+      if (!*namep)
+	err = ENOMEM;
+      else
+	memcpy (*namep, transloc + 2, datalen);
+    }
 
   diskfs_end_catch_exception ();
 
diff --git a/ufs/inode.c b/ufs/inode.c
index 2647754c..28f18dbd 100644
--- a/ufs/inode.c
+++ b/ufs/inode.c
@@ -602,7 +602,7 @@ diskfs_get_translator (struct node *np, char **namep, u_int *namelen)
   error_t err;
   daddr_t blkno;
   u_int datalen;
-  void *transloc;
+  const void *transloc;
 
   err = diskfs_catch_exception ();
   if (err)
@@ -613,8 +613,15 @@ diskfs_get_translator (struct node *np, char **namep, u_int *namelen)
   transloc = disk_image + fsaddr (sblock, blkno);
 
   datalen = *(u_int *)transloc;
-  *namep = malloc (datalen);
-  bcopy (transloc + sizeof (u_int), *namep, datalen);
+  if (datalen > sblock->fs_bsize)
+    err = EFTYPE;
+  else
+    {
+      *namep = malloc (datalen);
+      if (*namep == NULL)
+	err = ENOMEM;
+      memcpy (*namep, transloc + sizeof (u_int), datalen);
+    }
 
   diskfs_end_catch_exception ();
 
-- 
cgit v1.2.3