diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-08-15 08:53:38 +0300 |
---|---|---|
committer | Ben Myers <bpm@sgi.com> | 2013-08-26 11:28:08 -0500 |
commit | 0d0ab120d1fe90fcc73a2bfff3945bea636b3025 (patch) | |
tree | 33a2da26d723f130c58b4dc5f597bccc94843309 /fs | |
parent | 98f7462c4331cbf283e7b5c2269d17c17b8f00f2 (diff) | |
download | lwn-0d0ab120d1fe90fcc73a2bfff3945bea636b3025.tar.gz lwn-0d0ab120d1fe90fcc73a2bfff3945bea636b3025.zip |
xfs: check for underflow in xfs_iformat_fork()
The "di_size" variable comes from the disk and it's a signed 64 bit.
We check the upper limit but we should check for negative numbers as
well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/xfs/xfs_inode_fork.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/xfs/xfs_inode_fork.c b/fs/xfs/xfs_inode_fork.c index 2b60a5a2ae53..02f1083955bb 100644 --- a/fs/xfs/xfs_inode_fork.c +++ b/fs/xfs/xfs_inode_fork.c @@ -167,7 +167,8 @@ xfs_iformat_fork( } di_size = be64_to_cpu(dip->di_size); - if (unlikely(di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) { + if (unlikely(di_size < 0 || + di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) { xfs_warn(ip->i_mount, "corrupt inode %Lu (bad size %Ld for local inode).", (unsigned long long) ip->i_ino, |