xfs: check that dir block entries don't off the end of the buffer

When we're checking the entries in a directory buffer, make sure that
the entry length doesn't push us off the end of the buffer.  Found via
xfs/388 writing ones to the length fields.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/fs/xfs/libxfs/xfs_dir2_data.c b/fs/xfs/libxfs/xfs_dir2_data.c
index d478065b9544..8727a43115ef 100644
--- a/fs/xfs/libxfs/xfs_dir2_data.c
+++ b/fs/xfs/libxfs/xfs_dir2_data.c
@@ -136,6 +136,8 @@ __xfs_dir3_data_check(
                  */
                 if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
                         XFS_WANT_CORRUPTED_RETURN(mp, lastfree == 0);
+                        XFS_WANT_CORRUPTED_RETURN(mp, endp >=
+                                        p + be16_to_cpu(dup->length));
                         XFS_WANT_CORRUPTED_RETURN(mp,
                                 be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) ==
                                                (char *)dup - (char *)hdr);
@@ -164,6 +166,8 @@ __xfs_dir3_data_check(
                 XFS_WANT_CORRUPTED_RETURN(mp, dep->namelen != 0);
                 XFS_WANT_CORRUPTED_RETURN(mp,
                         !xfs_dir_ino_validate(mp, be64_to_cpu(dep->inumber)));
+                XFS_WANT_CORRUPTED_RETURN(mp, endp >=
+                                p + ops->data_entsize(dep->namelen));
                 XFS_WANT_CORRUPTED_RETURN(mp,
                         be16_to_cpu(*ops->data_entry_tag_p(dep)) ==
                                                (char *)dep - (char *)hdr);