[PATCH v1] Add bounds checking to sys_getdents, sys_getdents64

[zubin.mithra at gmail.com]

From: Zubin Mithra <zubin.mithra at gmail.com>

* file.c (sys_getdents): Add d_reclen check.
(sys_getdents64): Add d_reclen check.

Signed-off-by: Zubin Mithra <zubin.mithra at gmail.com>
---
 file.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/file.c b/file.c
index a92a7dc..d739df6 100644
--- a/file.c
+++ b/file.c
@@ -2041,7 +2041,8 @@ sys_readdir(struct tcb *tcp)
 int
 sys_getdents(struct tcb *tcp)
 {
-	int i, len, dents = 0;
+	unsigned int i;
+	int len, dents = 0;
 	char *buf;
 
 	if (entering(tcp)) {
@@ -2076,6 +2077,10 @@ sys_getdents(struct tcb *tcp)
 				i ? " " : "", d->d_ino, d->d_off);
 			tprintf("d_reclen=%u, d_name=\"%s\", d_type=",
 				d->d_reclen, d->d_name);
+			if (i + d->d_reclen >= len) {
+				tprints("}");
+				break;
+			}
 			printxval(direnttypes, buf[i + d->d_reclen - 1], "DT_???");
 			tprints("}");
 		}
@@ -2098,7 +2103,8 @@ sys_getdents(struct tcb *tcp)
 int
 sys_getdents64(struct tcb *tcp)
 {
-	int i, len, dents = 0;
+	unsigned int i;
+	int len, dents = 0;
 	char *buf;
 
 	if (entering(tcp)) {
@@ -2140,6 +2146,8 @@ sys_getdents64(struct tcb *tcp)
 			tprints(", ");
 			tprintf("d_reclen=%u, d_name=\"%s\"}",
 				d->d_reclen, d->d_name);
+			if (i + d->d_reclen >= len)
+				break;
 		}
 		if (!d->d_reclen) {
 			tprints("/* d_reclen == 0, problem here */");
-- 
1.8.4