diff options
| author | Fabian Frederick <fabf@skynet.be> | 2017-01-06 15:54:43 -0500 |
|---|---|---|
| committer | Jan Kara <jack@suse.cz> | 2017-01-10 05:59:21 -0500 |
| commit | 1d82a56bc5bf820b7c65d8130b44c0bc101b546c (patch) | |
| tree | 6835a6658ddb237fe19aa2d88a7ab0c5a467eb7b | |
| parent | 23bcda112f77da278898841615c7530c3e91a537 (diff) | |
udf: check partition reference in udf_read_inode()
We were checking block number without checking partition.
sbi->s_partmaps[iloc->partitionReferenceNum] could lead to
bad memory access. See udf_nfs_get_inode() path for instance.
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Jan Kara <jack@suse.cz>
| -rw-r--r-- | fs/udf/inode.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 2296c8708052..8ec6b3df0bc7 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c | |||
| @@ -1277,6 +1277,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) | |||
| 1277 | int ret = -EIO; | 1277 | int ret = -EIO; |
| 1278 | 1278 | ||
| 1279 | reread: | 1279 | reread: |
| 1280 | if (iloc->partitionReferenceNum >= sbi->s_partitions) { | ||
| 1281 | udf_debug("partition reference: %d > logical volume partitions: %d\n", | ||
| 1282 | iloc->partitionReferenceNum, sbi->s_partitions); | ||
| 1283 | return -EIO; | ||
| 1284 | } | ||
| 1285 | |||
| 1280 | if (iloc->logicalBlockNum >= | 1286 | if (iloc->logicalBlockNum >= |
| 1281 | sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { | 1287 | sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { |
| 1282 | udf_debug("block=%d, partition=%d out of range\n", | 1288 | udf_debug("block=%d, partition=%d out of range\n", |