hi,

this is basically the same as
hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch.
We use the length parameter for a memcopy without checking it and
thereby corruption memory. 

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>

--- linux/fs/hfs/catalog.c.orig	2008-09-08 15:20:15.000000000 +0200
+++ linux/fs/hfs/catalog.c	2008-09-08 15:21:02.000000000 +0200
@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block
 
 	fd->search_key->cat.ParID = rec.thread.ParID;
 	len = fd->search_key->cat.CName.len = rec.thread.CName.len;
+	if (len > HFS_NAMELEN) {
+		printk(KERN_ERR "hfs: bad catalog namelength\n");
+		return -EIO;
+	}
 	memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
 	return hfs_brec_find(fd);
 }
--

[ message continues ]

On Mon, 8 Sep 2008 15:35:05 +0200

I can't really use the above text in a changelog.  Think how it will

"corrupting".

I assume that this bug was found using a deliberately corrupted
filesystem?  If so, that sort of thing should be described in the
changelog.

Please spend a little more time (say, 60 seconds) preparing patch

Please send a full changelog for this patch.

I can (and often do) end up writing these things myself, but it's not a
very satisfactory arrangement, particularly when I'm not provided with
sufficient information to do so.

Thanks.
--

[ message continues ]