diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-07-17 08:20:25 -0400 |
|---|---|---|
| committer | Phillip Lougher <phillip@squashfs.org.uk> | 2013-08-28 20:23:29 -0400 |
| commit | 28d7b5684ba98e163ba37779fd09de01fac5261d (patch) | |
| tree | 100179e5de52e6bb9e49b0d2f28c1045c363e70a /fs/squashfs/namei.c | |
| parent | d8dfad3876e4386666b759da3c833d62fb8b2267 (diff) | |
Squashfs: sanity check information from disk
We read the size of the name from the disk, but a larger name than
expected would cause memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Diffstat (limited to 'fs/squashfs/namei.c')
| -rw-r--r-- | fs/squashfs/namei.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7834a517f7f4..f866d42a8b6f 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c | |||
| @@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb, | |||
| 79 | int len) | 79 | int len) |
| 80 | { | 80 | { |
| 81 | struct squashfs_sb_info *msblk = sb->s_fs_info; | 81 | struct squashfs_sb_info *msblk = sb->s_fs_info; |
| 82 | int i, size, length = 0, err; | 82 | int i, length = 0, err; |
| 83 | unsigned int size; | ||
| 83 | struct squashfs_dir_index *index; | 84 | struct squashfs_dir_index *index; |
| 84 | char *str; | 85 | char *str; |
| 85 | 86 | ||
| @@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb, | |||
| 103 | 104 | ||
| 104 | 105 | ||
| 105 | size = le32_to_cpu(index->size) + 1; | 106 | size = le32_to_cpu(index->size) + 1; |
| 107 | if (size > SQUASHFS_NAME_LEN) { | ||
| 108 | err = -EINVAL; | ||
| 109 | break; | ||
| 110 | } | ||
| 106 | 111 | ||
| 107 | err = squashfs_read_metadata(sb, index->name, &index_start, | 112 | err = squashfs_read_metadata(sb, index->name, &index_start, |
| 108 | &index_offset, size); | 113 | &index_offset, size); |