As pointed out by wiz@ prevent a possible attack or corruption that results in

an endless loop of indirect descriptors being processed.

The number of indirect descriptors followed is now maximized.
While here, also fix a use-after-free bug!

sys/fs/udf/udf.h

@@ -1,4 +1,4 @@
-/* $NetBSD: udf.h,v 1.46 2013/10/18 19:56:55 christos Exp $ */
+/* $NetBSD: udf.h,v 1.47 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -128,6 +128,8 @@ extern int udf_verbose;
 #define UDF_DISC_SLACK		(128)			/* picked, at least 64 kb or 128 */
 #define UDF_ISO_VRS_SIZE	(32*2048)		/* 32 ISO `sectors' */
 
+#define UDF_MAX_INDIRS_FOLLOW	1024			/* picked */
+
 
 /* structure space */
 #define UDF_ANCHORS		4	/* 256, 512, N-256, N */

sys/fs/udf/udf_subr.c

@@ -1,4 +1,4 @@
-/* $NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $ */
+/* $NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $ */
 
 /*
  * Copyright (c) 2006, 2008 Reinoud Zandijk
@@ -29,7 +29,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.125 2014/07/29 15:36:43 reinoud Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udf_subr.c,v 1.126 2014/09/17 19:47:05 reinoud Exp $");
 #endif /* not lint */
 
 
@@ -5290,6 +5290,7 @@ udf_get_node(struct udf_mount *ump, struct long_ad *node_icb_loc,
 	uint32_t lb_size, sector, dummy;
 	int udf_file_type, dscr_type, strat, strat4096, needs_indirect;
 	int slot, eof, error;
+	int num_indir_followed = 0;
 
 	DPRINTF(NODE, ("udf_get_node called\n"));
 	*udf_noderes = udf_node = NULL;
@@ -5392,8 +5393,12 @@ udf_get_node(struct udf_mount *ump, struct long_ad *node_icb_loc,
 		/* if dealing with an indirect entry, follow the link */
 		if (dscr_type == TAGID_INDIRECTENTRY) {
 			needs_indirect = 0;
-			udf_free_logvol_dscr(ump, &icb_loc, dscr);
 			icb_loc = dscr->inde.indirect_icb;
+			udf_free_logvol_dscr(ump, &icb_loc, dscr);
+			if (++num_indir_followed > UDF_MAX_INDIRS_FOLLOW) {
+				error = EMLINK;
+				break;
+			}
 			continue;
 		}