diff options
author | Phillip Lougher <phillip@lougher.demon.co.uk> | 2011-05-23 23:45:33 -0400 |
---|---|---|
committer | Phillip Lougher <phillip@lougher.demon.co.uk> | 2011-05-25 13:21:33 -0400 |
commit | 1094a4a6118019255bf0e4adaa96bb17ccec3a82 (patch) | |
tree | 06a8f2667681ae591e3a35c16c33fe4830d9b75f /fs | |
parent | 1cac63cc9b2ff0d16ab2d16232b1a6ee8676a47b (diff) |
Squashfs: add extra sanity checks at mount time
Add some extra sanity checks of the inode and directory structures.
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/squashfs/super.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c index efa8118260d4..984d6c861928 100644 --- a/fs/squashfs/super.c +++ b/fs/squashfs/super.c | |||
@@ -268,7 +268,7 @@ allocate_id_index_table: | |||
268 | handle_fragments: | 268 | handle_fragments: |
269 | fragments = le32_to_cpu(sblk->fragments); | 269 | fragments = le32_to_cpu(sblk->fragments); |
270 | if (fragments == 0) | 270 | if (fragments == 0) |
271 | goto allocate_root; | 271 | goto check_directory_table; |
272 | 272 | ||
273 | msblk->fragment_cache = squashfs_cache_init("fragment", | 273 | msblk->fragment_cache = squashfs_cache_init("fragment", |
274 | SQUASHFS_CACHED_FRAGMENTS, msblk->block_size); | 274 | SQUASHFS_CACHED_FRAGMENTS, msblk->block_size); |
@@ -286,8 +286,22 @@ handle_fragments: | |||
286 | msblk->fragment_index = NULL; | 286 | msblk->fragment_index = NULL; |
287 | goto failed_mount; | 287 | goto failed_mount; |
288 | } | 288 | } |
289 | next_table = msblk->fragment_index[0]; | ||
289 | 290 | ||
290 | allocate_root: | 291 | check_directory_table: |
292 | /* Sanity check directory_table */ | ||
293 | if (msblk->directory_table >= next_table) { | ||
294 | err = -EINVAL; | ||
295 | goto failed_mount; | ||
296 | } | ||
297 | |||
298 | /* Sanity check inode_table */ | ||
299 | if (msblk->inode_table >= msblk->directory_table) { | ||
300 | err = -EINVAL; | ||
301 | goto failed_mount; | ||
302 | } | ||
303 | |||
304 | /* allocate root */ | ||
291 | root = new_inode(sb); | 305 | root = new_inode(sb); |
292 | if (!root) { | 306 | if (!root) { |
293 | err = -ENOMEM; | 307 | err = -ENOMEM; |