diff options
Diffstat (limited to 'fs/btrfs/check-integrity.c')
| -rw-r--r-- | fs/btrfs/check-integrity.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c index da6e9364a5e..9197e2e3340 100644 --- a/fs/btrfs/check-integrity.c +++ b/fs/btrfs/check-integrity.c | |||
| @@ -1032,6 +1032,7 @@ continue_with_current_leaf_stack_frame: | |||
| 1032 | struct btrfs_disk_key *disk_key; | 1032 | struct btrfs_disk_key *disk_key; |
| 1033 | u8 type; | 1033 | u8 type; |
| 1034 | u32 item_offset; | 1034 | u32 item_offset; |
| 1035 | u32 item_size; | ||
| 1035 | 1036 | ||
| 1036 | if (disk_item_offset + sizeof(struct btrfs_item) > | 1037 | if (disk_item_offset + sizeof(struct btrfs_item) > |
| 1037 | sf->block_ctx->len) { | 1038 | sf->block_ctx->len) { |
| @@ -1047,6 +1048,7 @@ leaf_item_out_of_bounce_error: | |||
| 1047 | disk_item_offset, | 1048 | disk_item_offset, |
| 1048 | sizeof(struct btrfs_item)); | 1049 | sizeof(struct btrfs_item)); |
| 1049 | item_offset = le32_to_cpu(disk_item.offset); | 1050 | item_offset = le32_to_cpu(disk_item.offset); |
| 1051 | item_size = le32_to_cpu(disk_item.size); | ||
| 1050 | disk_key = &disk_item.key; | 1052 | disk_key = &disk_item.key; |
| 1051 | type = disk_key->type; | 1053 | type = disk_key->type; |
| 1052 | 1054 | ||
| @@ -1057,14 +1059,13 @@ leaf_item_out_of_bounce_error: | |||
| 1057 | 1059 | ||
| 1058 | root_item_offset = item_offset + | 1060 | root_item_offset = item_offset + |
| 1059 | offsetof(struct btrfs_leaf, items); | 1061 | offsetof(struct btrfs_leaf, items); |
| 1060 | if (root_item_offset + | 1062 | if (root_item_offset + item_size > |
| 1061 | sizeof(struct btrfs_root_item) > | ||
| 1062 | sf->block_ctx->len) | 1063 | sf->block_ctx->len) |
| 1063 | goto leaf_item_out_of_bounce_error; | 1064 | goto leaf_item_out_of_bounce_error; |
| 1064 | btrfsic_read_from_block_data( | 1065 | btrfsic_read_from_block_data( |
| 1065 | sf->block_ctx, &root_item, | 1066 | sf->block_ctx, &root_item, |
| 1066 | root_item_offset, | 1067 | root_item_offset, |
| 1067 | sizeof(struct btrfs_root_item)); | 1068 | item_size); |
| 1068 | next_bytenr = le64_to_cpu(root_item.bytenr); | 1069 | next_bytenr = le64_to_cpu(root_item.bytenr); |
| 1069 | 1070 | ||
| 1070 | sf->error = | 1071 | sf->error = |