summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2013-07-17 15:20:25 +0300
committerPhillip Lougher <phillip@squashfs.org.uk>2013-08-29 01:23:29 +0100
commit28d7b5684ba98e163ba37779fd09de01fac5261d (patch)
tree100179e5de52e6bb9e49b0d2f28c1045c363e70a
parentd8dfad3876e4386666b759da3c833d62fb8b2267 (diff)
downloadlwn-28d7b5684ba98e163ba37779fd09de01fac5261d.tar.gz
lwn-28d7b5684ba98e163ba37779fd09de01fac5261d.zip
Squashfs: sanity check information from disk
We read the size of the name from the disk, but a larger name than expected would cause memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
-rw-r--r--fs/squashfs/namei.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 7834a517f7f4..f866d42a8b6f 100644
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb,
int len)
{
struct squashfs_sb_info *msblk = sb->s_fs_info;
- int i, size, length = 0, err;
+ int i, length = 0, err;
+ unsigned int size;
struct squashfs_dir_index *index;
char *str;
@@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb,
size = le32_to_cpu(index->size) + 1;
+ if (size > SQUASHFS_NAME_LEN) {
+ err = -EINVAL;
+ break;
+ }
err = squashfs_read_metadata(sb, index->name, &index_start,
&index_offset, size);