diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-07-17 15:20:25 +0300 |
---|---|---|
committer | Phillip Lougher <phillip@squashfs.org.uk> | 2013-08-29 01:23:29 +0100 |
commit | 28d7b5684ba98e163ba37779fd09de01fac5261d (patch) | |
tree | 100179e5de52e6bb9e49b0d2f28c1045c363e70a | |
parent | d8dfad3876e4386666b759da3c833d62fb8b2267 (diff) | |
download | lwn-28d7b5684ba98e163ba37779fd09de01fac5261d.tar.gz lwn-28d7b5684ba98e163ba37779fd09de01fac5261d.zip |
Squashfs: sanity check information from disk
We read the size of the name from the disk, but a larger name than
expected would cause memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
-rw-r--r-- | fs/squashfs/namei.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7834a517f7f4..f866d42a8b6f 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c @@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb, int len) { struct squashfs_sb_info *msblk = sb->s_fs_info; - int i, size, length = 0, err; + int i, length = 0, err; + unsigned int size; struct squashfs_dir_index *index; char *str; @@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb, size = le32_to_cpu(index->size) + 1; + if (size > SQUASHFS_NAME_LEN) { + err = -EINVAL; + break; + } err = squashfs_read_metadata(sb, index->name, &index_start, &index_offset, size); |