aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@squashfs.org.uk>2013-09-02 23:52:52 -0400
committerPhillip Lougher <phillip@squashfs.org.uk>2013-09-05 23:57:53 -0400
commitf960cae5357d8e52b8af91e8b1621cae565dffb3 (patch)
tree0b1abaf2638d2bb842206e27009c5383687974f0 /fs
parent68e7f412370ecfeb1bd667d0d174fad34517516e (diff)
Squashfs: add corruption check in get_dir_index_using_offset()
We read the size (of the name) field from disk. This value should be sanity checked for correctness to avoid blindly reading huge amounts of unnecessary data from disk on corruption. Note, here we're not actually reading the name into a buffer, but skipping it, and so corruption doesn't cause buffer overflow, merely lots of unnecessary amounts of data to be read. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Diffstat (limited to 'fs')
-rw-r--r--fs/squashfs/dir.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c
index 119208422260..bd7155b198a9 100644
--- a/fs/squashfs/dir.c
+++ b/fs/squashfs/dir.c
@@ -54,6 +54,7 @@ static int get_dir_index_using_offset(struct super_block *sb,
54{ 54{
55 struct squashfs_sb_info *msblk = sb->s_fs_info; 55 struct squashfs_sb_info *msblk = sb->s_fs_info;
56 int err, i, index, length = 0; 56 int err, i, index, length = 0;
57 unsigned int size;
57 struct squashfs_dir_index dir_index; 58 struct squashfs_dir_index dir_index;
58 59
59 TRACE("Entered get_dir_index_using_offset, i_count %d, f_pos %lld\n", 60 TRACE("Entered get_dir_index_using_offset, i_count %d, f_pos %lld\n",
@@ -81,8 +82,14 @@ static int get_dir_index_using_offset(struct super_block *sb,
81 */ 82 */
82 break; 83 break;
83 84
85 size = le32_to_cpu(dir_index.size) + 1;
86
87 /* size should never be larger than SQUASHFS_NAME_LEN */
88 if (size > SQUASHFS_NAME_LEN)
89 break;
90
84 err = squashfs_read_metadata(sb, NULL, &index_start, 91 err = squashfs_read_metadata(sb, NULL, &index_start,
85 &index_offset, le32_to_cpu(dir_index.size) + 1); 92 &index_offset, size);
86 if (err < 0) 93 if (err < 0)
87 break; 94 break;
88 95