From 9f4073d44628bc70dbe67df5163266cbfbe37167 Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Thu, 30 Dec 2021 15:17:59 +0200 Subject: [PATCH] geom label msdosfs: sanity check BPB before using it for io request It must be greater than zero, and be multiple of the device block size. In collaboration with: pho Reviewed by: markj, mckusick Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33721 --- sys/geom/label/g_label_msdosfs.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/geom/label/g_label_msdosfs.c b/sys/geom/label/g_label_msdosfs.c index 06d5f2a8e0f0..f138d1eda716 100644 --- a/sys/geom/label/g_label_msdosfs.c +++ b/sys/geom/label/g_label_msdosfs.c @@ -156,6 +156,12 @@ g_label_msdosfs_taste(struct g_consumer *cp, char *label, size_t size) G_LABEL_DEBUG(2, "MSDOSFS: FAT_FirstDataSector=0x%x, FAT_BytesPerSector=%d", fat_FirstDataSector, fat_BytesPerSector); + if (fat_BytesPerSector == 0 || + fat_BytesPerSector % pp->sectorsize != 0) { + G_LABEL_DEBUG(1, "MSDOSFS: %s: corrupted BPB", + pp->name); + goto error; + } for (offset = fat_BytesPerSector * fat_FirstDataSector;; offset += fat_BytesPerSector) {