btrfs: Verify dir_item in replay_xattr_deletes

replay_xattr_deletes calls btrfs_search_slot to get buffer and reads
name.

Call verify_dir_item to check name_len in replay_xattr_deletes to avoid
reading out of boundary.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 11cf38fb3a49..06c7ceb07282 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2111,6 +2111,7 @@ static int replay_xattr_deletes(struct btrfs_trans_handle *trans,
                               struct btrfs_path *path,
                               const u64 ino)
 {
+        struct btrfs_fs_info *fs_info = root->fs_info;
         struct btrfs_key search_key;
         struct btrfs_path *log_path;
         int i;
@@ -2152,6 +2153,12 @@ process_leaf:
                         u32 this_len = sizeof(*di) + name_len + data_len;
                         char *name;
 
+                        ret = verify_dir_item(fs_info, path->nodes[0],
+                                              path->slots[0], di);
+                        if (ret) {
+                                ret = -EIO;
+                                goto out;
+                        }
                         name = kmalloc(name_len, GFP_NOFS);
                         if (!name) {
                                 ret = -ENOMEM;