[CHG]增强MBR分区表加载的安全性

AngryProton · AngryProton · commit a2504cbeabc8 · 2026-05-10T21:38:53.000+08:00
diff --git a/components/drivers/block/partitions/dfs.c b/components/drivers/block/partitions/dfs.c
@@ -34,6 +34,21 @@ rt_err_t dfs_partition(struct rt_blk_disk *disk)
         return res;
     }
 
+    /* check MBR signature at offset 0x1FE-0x1FF */
+    if (sector[0x1FE] != 0x55 || sector[0x1FF] != 0xAA)
+    {
+        rt_free(sector);
+        return -RT_ERROR;
+    }
+
+    /* get disk total capacity */
+    rt_ssize_t disk_capacity = rt_blk_disk_get_capacity(disk);
+    if (disk_capacity <= 0)
+    {
+        rt_free(sector);
+        return disk_capacity < 0 ? disk_capacity : -RT_ERROR;
+    }
+
     for (rt_size_t i = 0; i < disk->max_partitions; ++i)
     {
         res = dfs_filesystem_get_partition(&part, sector, i);
@@ -43,6 +58,25 @@ rt_err_t dfs_partition(struct rt_blk_disk *disk)
             break;
         }
 
+        /* check if partition start and size are within disk capacity */
+        off_t part_start = part.offset;
+        size_t part_size = part.size;
+        off_t part_end = part_start + (off_t)part_size;
+
+        if (part_start >= (off_t)disk_capacity)
+        {
+            LOG_W("Partition %d: start sector %ld >= disk capacity %ld, skipped",
+                  i, part_start, disk_capacity);
+            continue;
+        }
+
+        if (part_size == 0 || part_end > (off_t)disk_capacity)
+        {
+            LOG_W("Partition %d: size %lu or end sector %ld > disk capacity %ld, skipped",
+                  i, part_size, part_end, disk_capacity);
+            continue;
+        }
+
         if (blk_put_partition(disk, "dfs", part.offset, part.size, i) == -RT_ENOMEM)
         {
             break;
