diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-05-04 15:09:39 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-04 20:11:24 -0400 |
| commit | 6f24f892871acc47b40dd594c63606a17c714f77 (patch) | |
| tree | b01432358955a328da347e7f05c096d2ca4366ce /fs/hfsplus | |
| parent | f756beba940ca21755396851521463d494893566 (diff) | |
hfsplus: Fix potential buffer overflows
Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem. But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.
Reported-by: Timo Warns <warns@pre-sense.de>
Acked-by: WANG Cong <amwang@redhat.com>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Sage Weil <sage@newdream.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: stable <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/hfsplus')
| -rw-r--r-- | fs/hfsplus/catalog.c | 4 | ||||
| -rw-r--r-- | fs/hfsplus/dir.c | 11 |
2 files changed, 15 insertions, 0 deletions
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 4dfbfec357e8..ec2a9c23f0c9 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c | |||
| @@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid, | |||
| 366 | err = hfs_brec_find(&src_fd); | 366 | err = hfs_brec_find(&src_fd); |
| 367 | if (err) | 367 | if (err) |
| 368 | goto out; | 368 | goto out; |
| 369 | if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { | ||
| 370 | err = -EIO; | ||
| 371 | goto out; | ||
| 372 | } | ||
| 369 | 373 | ||
| 370 | hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, | 374 | hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, |
| 371 | src_fd.entrylength); | 375 | src_fd.entrylength); |
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c index 88e155f895c6..26b53fb09f68 100644 --- a/fs/hfsplus/dir.c +++ b/fs/hfsplus/dir.c | |||
| @@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) | |||
| 150 | filp->f_pos++; | 150 | filp->f_pos++; |
| 151 | /* fall through */ | 151 | /* fall through */ |
| 152 | case 1: | 152 | case 1: |
| 153 | if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { | ||
| 154 | err = -EIO; | ||
| 155 | goto out; | ||
| 156 | } | ||
| 157 | |||
| 153 | hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, | 158 | hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, |
| 154 | fd.entrylength); | 159 | fd.entrylength); |
| 155 | if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { | 160 | if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { |
| @@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir) | |||
| 181 | err = -EIO; | 186 | err = -EIO; |
| 182 | goto out; | 187 | goto out; |
| 183 | } | 188 | } |
| 189 | |||
| 190 | if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { | ||
| 191 | err = -EIO; | ||
| 192 | goto out; | ||
| 193 | } | ||
| 194 | |||
| 184 | hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, | 195 | hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, |
| 185 | fd.entrylength); | 196 | fd.entrylength); |
| 186 | type = be16_to_cpu(entry.type); | 197 | type = be16_to_cpu(entry.type); |