[CHG]增强MBR分区表加载的安全性

2026-05-12 21:25:53 +00:00 · 2026-05-10 21:38:53 +08:00
parent 5bd0c88b74
commit 5b5bd39402
1 changed files with 34 additions and 0 deletions
--- a/components/drivers/block/partitions/dfs.c
+++ b/components/drivers/block/partitions/dfs.c
@@ -34,6 +34,21 @@ rt_err_t dfs_partition(struct rt_blk_disk *disk)
        return res;
    }

+    /* check MBR signature at offset 0x1FE-0x1FF */
+    if (sector[0x1FE] != 0x55 || sector[0x1FF] != 0xAA)
+    {
+        rt_free(sector);
+        return -RT_ERROR;
+    }
+
+    /* get disk total capacity */
+    rt_ssize_t disk_capacity = rt_blk_disk_get_capacity(disk);
+    if (disk_capacity <= 0)
+    {
+        rt_free(sector);
+        return disk_capacity < 0 ? disk_capacity : -RT_ERROR;
+    }
+
    for (rt_size_t i = 0; i < disk->max_partitions; ++i)
    {
        res = dfs_filesystem_get_partition(&part, sector, i);
@@ -43,6 +58,25 @@ rt_err_t dfs_partition(struct rt_blk_disk *disk)
            break;
        }

+        /* check if partition start and size are within disk capacity */
+        off_t part_start = part.offset;
+        size_t part_size = part.size;
+        off_t part_end = part_start + (off_t)part_size;
+
+        if (part_start >= (off_t)disk_capacity)
+        {
+            LOG_W("Partition %d: start sector %ld >= disk capacity %ld, skipped",
+                  i, part_start, disk_capacity);
+            continue;
+        }
+
+        if (part_size == 0 || part_end > (off_t)disk_capacity)
+        {
+            LOG_W("Partition %d: size %lu or end sector %ld > disk capacity %ld, skipped",
+                  i, part_size, part_end, disk_capacity);
+            continue;
+        }
+
        if (blk_put_partition(disk, "dfs", part.offset, part.size, i) == -RT_ENOMEM)
        {
            break;