diff options
| -rw-r--r-- | fs/hfs/bfind.c | 12 | ||||
| -rw-r--r-- | fs/hfs/brec.c | 15 | ||||
| -rw-r--r-- | fs/hfs/btree.c | 13 | ||||
| -rw-r--r-- | fs/hfs/hfs.h | 5 |
4 files changed, 42 insertions, 3 deletions
diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c index f13f1494d4fe..f8452a0eab56 100644 --- a/fs/hfs/bfind.c +++ b/fs/hfs/bfind.c | |||
| @@ -52,6 +52,10 @@ int __hfs_brec_find(struct hfs_bnode *bnode, struct hfs_find_data *fd) | |||
| 52 | rec = (e + b) / 2; | 52 | rec = (e + b) / 2; |
| 53 | len = hfs_brec_lenoff(bnode, rec, &off); | 53 | len = hfs_brec_lenoff(bnode, rec, &off); |
| 54 | keylen = hfs_brec_keylen(bnode, rec); | 54 | keylen = hfs_brec_keylen(bnode, rec); |
| 55 | if (keylen == HFS_BAD_KEYLEN) { | ||
| 56 | res = -EINVAL; | ||
| 57 | goto done; | ||
| 58 | } | ||
| 55 | hfs_bnode_read(bnode, fd->key, off, keylen); | 59 | hfs_bnode_read(bnode, fd->key, off, keylen); |
| 56 | cmpval = bnode->tree->keycmp(fd->key, fd->search_key); | 60 | cmpval = bnode->tree->keycmp(fd->key, fd->search_key); |
| 57 | if (!cmpval) { | 61 | if (!cmpval) { |
| @@ -67,6 +71,10 @@ int __hfs_brec_find(struct hfs_bnode *bnode, struct hfs_find_data *fd) | |||
| 67 | if (rec != e && e >= 0) { | 71 | if (rec != e && e >= 0) { |
| 68 | len = hfs_brec_lenoff(bnode, e, &off); | 72 | len = hfs_brec_lenoff(bnode, e, &off); |
| 69 | keylen = hfs_brec_keylen(bnode, e); | 73 | keylen = hfs_brec_keylen(bnode, e); |
| 74 | if (keylen == HFS_BAD_KEYLEN) { | ||
| 75 | res = -EINVAL; | ||
| 76 | goto done; | ||
| 77 | } | ||
| 70 | hfs_bnode_read(bnode, fd->key, off, keylen); | 78 | hfs_bnode_read(bnode, fd->key, off, keylen); |
| 71 | } | 79 | } |
| 72 | done: | 80 | done: |
| @@ -198,6 +206,10 @@ int hfs_brec_goto(struct hfs_find_data *fd, int cnt) | |||
| 198 | 206 | ||
| 199 | len = hfs_brec_lenoff(bnode, fd->record, &off); | 207 | len = hfs_brec_lenoff(bnode, fd->record, &off); |
| 200 | keylen = hfs_brec_keylen(bnode, fd->record); | 208 | keylen = hfs_brec_keylen(bnode, fd->record); |
| 209 | if (keylen == HFS_BAD_KEYLEN) { | ||
| 210 | res = -EINVAL; | ||
| 211 | goto out; | ||
| 212 | } | ||
| 201 | fd->keyoffset = off; | 213 | fd->keyoffset = off; |
| 202 | fd->keylength = keylen; | 214 | fd->keylength = keylen; |
| 203 | fd->entryoffset = off + keylen; | 215 | fd->entryoffset = off + keylen; |
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c index 5c87cf4801fc..8626ee375ea8 100644 --- a/fs/hfs/brec.c +++ b/fs/hfs/brec.c | |||
| @@ -44,10 +44,21 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec) | |||
| 44 | recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2); | 44 | recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2); |
| 45 | if (!recoff) | 45 | if (!recoff) |
| 46 | return 0; | 46 | return 0; |
| 47 | if (node->tree->attributes & HFS_TREE_BIGKEYS) | 47 | if (node->tree->attributes & HFS_TREE_BIGKEYS) { |
| 48 | retval = hfs_bnode_read_u16(node, recoff) + 2; | 48 | retval = hfs_bnode_read_u16(node, recoff) + 2; |
| 49 | else | 49 | if (retval > node->tree->max_key_len + 2) { |
| 50 | printk(KERN_ERR "hfs: keylen %d too large\n", | ||
| 51 | retval); | ||
| 52 | retval = HFS_BAD_KEYLEN; | ||
| 53 | } | ||
| 54 | } else { | ||
| 50 | retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1; | 55 | retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1; |
| 56 | if (retval > node->tree->max_key_len + 1) { | ||
| 57 | printk(KERN_ERR "hfs: keylen %d too large\n", | ||
| 58 | retval); | ||
| 59 | retval = HFS_BAD_KEYLEN; | ||
| 60 | } | ||
| 61 | } | ||
| 51 | } | 62 | } |
| 52 | return retval; | 63 | return retval; |
| 53 | } | 64 | } |
diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c index 8a3a650abc87..31284c77bba8 100644 --- a/fs/hfs/btree.c +++ b/fs/hfs/btree.c | |||
| @@ -81,6 +81,17 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke | |||
| 81 | goto fail_page; | 81 | goto fail_page; |
| 82 | if (!tree->node_count) | 82 | if (!tree->node_count) |
| 83 | goto fail_page; | 83 | goto fail_page; |
| 84 | if ((id == HFS_EXT_CNID) && (tree->max_key_len != HFS_MAX_EXT_KEYLEN)) { | ||
| 85 | printk(KERN_ERR "hfs: invalid extent max_key_len %d\n", | ||
| 86 | tree->max_key_len); | ||
| 87 | goto fail_page; | ||
| 88 | } | ||
| 89 | if ((id == HFS_CAT_CNID) && (tree->max_key_len != HFS_MAX_CAT_KEYLEN)) { | ||
| 90 | printk(KERN_ERR "hfs: invalid catalog max_key_len %d\n", | ||
| 91 | tree->max_key_len); | ||
| 92 | goto fail_page; | ||
| 93 | } | ||
| 94 | |||
| 84 | tree->node_size_shift = ffs(size) - 1; | 95 | tree->node_size_shift = ffs(size) - 1; |
| 85 | tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; | 96 | tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; |
| 86 | 97 | ||
| @@ -89,9 +100,9 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke | |||
| 89 | return tree; | 100 | return tree; |
| 90 | 101 | ||
| 91 | fail_page: | 102 | fail_page: |
| 92 | tree->inode->i_mapping->a_ops = &hfs_aops; | ||
| 93 | page_cache_release(page); | 103 | page_cache_release(page); |
| 94 | free_tree: | 104 | free_tree: |
| 105 | tree->inode->i_mapping->a_ops = &hfs_aops; | ||
| 95 | iput(tree->inode); | 106 | iput(tree->inode); |
| 96 | kfree(tree); | 107 | kfree(tree); |
| 97 | return NULL; | 108 | return NULL; |
diff --git a/fs/hfs/hfs.h b/fs/hfs/hfs.h index 1445e3a56ed4..c6aae61adfe6 100644 --- a/fs/hfs/hfs.h +++ b/fs/hfs/hfs.h | |||
| @@ -28,6 +28,8 @@ | |||
| 28 | #define HFS_MAX_NAMELEN 128 | 28 | #define HFS_MAX_NAMELEN 128 |
| 29 | #define HFS_MAX_VALENCE 32767U | 29 | #define HFS_MAX_VALENCE 32767U |
| 30 | 30 | ||
| 31 | #define HFS_BAD_KEYLEN 0xFF | ||
| 32 | |||
| 31 | /* Meanings of the drAtrb field of the MDB, | 33 | /* Meanings of the drAtrb field of the MDB, |
| 32 | * Reference: _Inside Macintosh: Files_ p. 2-61 | 34 | * Reference: _Inside Macintosh: Files_ p. 2-61 |
| 33 | */ | 35 | */ |
| @@ -167,6 +169,9 @@ typedef union hfs_btree_key { | |||
| 167 | struct hfs_ext_key ext; | 169 | struct hfs_ext_key ext; |
| 168 | } hfs_btree_key; | 170 | } hfs_btree_key; |
| 169 | 171 | ||
| 172 | #define HFS_MAX_CAT_KEYLEN (sizeof(struct hfs_cat_key) - sizeof(u8)) | ||
| 173 | #define HFS_MAX_EXT_KEYLEN (sizeof(struct hfs_ext_key) - sizeof(u8)) | ||
| 174 | |||
| 170 | typedef union hfs_btree_key btree_key; | 175 | typedef union hfs_btree_key btree_key; |
| 171 | 176 | ||
| 172 | struct hfs_extent { | 177 | struct hfs_extent { |