aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fs/jffs2/gc.c7
-rw-r--r--fs/jffs2/scan.c15
-rw-r--r--fs/jffs2/summary.c22
3 files changed, 35 insertions, 9 deletions
diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c
index 95be264fe9b6..f25e485ed879 100644
--- a/fs/jffs2/gc.c
+++ b/fs/jffs2/gc.c
@@ -608,10 +608,15 @@ static int jffs2_garbage_collect_pristine(struct jffs2_sb_info *c,
608 goto bail; 608 goto bail;
609 } 609 }
610 610
611 if (strnlen(node->d.name, node->d.nsize) != node->d.nsize) {
612 printk(KERN_WARNING "Name in dirent node at 0x%08x contains zeroes\n", ref_offset(raw));
613 goto bail;
614 }
615
611 if (node->d.nsize) { 616 if (node->d.nsize) {
612 crc = crc32(0, node->d.name, node->d.nsize); 617 crc = crc32(0, node->d.name, node->d.nsize);
613 if (je32_to_cpu(node->d.name_crc) != crc) { 618 if (je32_to_cpu(node->d.name_crc) != crc) {
614 printk(KERN_WARNING "Name CRC failed on REF_PRISTINE dirent ode at 0x%08x: Read 0x%08x, calculated 0x%08x\n", 619 printk(KERN_WARNING "Name CRC failed on REF_PRISTINE dirent node at 0x%08x: Read 0x%08x, calculated 0x%08x\n",
615 ref_offset(raw), je32_to_cpu(node->d.name_crc), crc); 620 ref_offset(raw), je32_to_cpu(node->d.name_crc), crc);
616 goto bail; 621 goto bail;
617 } 622 }
diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index 35ef8d83366f..272872d27fd5 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -1004,6 +1004,7 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
1004{ 1004{
1005 struct jffs2_full_dirent *fd; 1005 struct jffs2_full_dirent *fd;
1006 struct jffs2_inode_cache *ic; 1006 struct jffs2_inode_cache *ic;
1007 uint32_t checkedlen;
1007 uint32_t crc; 1008 uint32_t crc;
1008 int err; 1009 int err;
1009 1010
@@ -1024,12 +1025,18 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
1024 1025
1025 pseudo_random += je32_to_cpu(rd->version); 1026 pseudo_random += je32_to_cpu(rd->version);
1026 1027
1027 fd = jffs2_alloc_full_dirent(rd->nsize+1); 1028 /* Should never happen. Did. (OLPC trac #4184)*/
1029 checkedlen = strnlen(rd->name, rd->nsize);
1030 if (checkedlen < rd->nsize) {
1031 printk(KERN_ERR "Dirent at %08x has zeroes in name. Truncating to %d chars\n",
1032 ofs, checkedlen);
1033 }
1034 fd = jffs2_alloc_full_dirent(checkedlen+1);
1028 if (!fd) { 1035 if (!fd) {
1029 return -ENOMEM; 1036 return -ENOMEM;
1030 } 1037 }
1031 memcpy(&fd->name, rd->name, rd->nsize); 1038 memcpy(&fd->name, rd->name, checkedlen);
1032 fd->name[rd->nsize] = 0; 1039 fd->name[checkedlen] = 0;
1033 1040
1034 crc = crc32(0, fd->name, rd->nsize); 1041 crc = crc32(0, fd->name, rd->nsize);
1035 if (crc != je32_to_cpu(rd->name_crc)) { 1042 if (crc != je32_to_cpu(rd->name_crc)) {
@@ -1055,7 +1062,7 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
1055 fd->next = NULL; 1062 fd->next = NULL;
1056 fd->version = je32_to_cpu(rd->version); 1063 fd->version = je32_to_cpu(rd->version);
1057 fd->ino = je32_to_cpu(rd->ino); 1064 fd->ino = je32_to_cpu(rd->ino);
1058 fd->nhash = full_name_hash(fd->name, rd->nsize); 1065 fd->nhash = full_name_hash(fd->name, checkedlen);
1059 fd->type = rd->type; 1066 fd->type = rd->type;
1060 jffs2_add_fd_to_list(c, fd, &ic->scan_dents); 1067 jffs2_add_fd_to_list(c, fd, &ic->scan_dents);
1061 1068
diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
index 2a77d3f93029..629af01e5ade 100644
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -429,6 +429,7 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
429 429
430 case JFFS2_NODETYPE_DIRENT: { 430 case JFFS2_NODETYPE_DIRENT: {
431 struct jffs2_sum_dirent_flash *spd; 431 struct jffs2_sum_dirent_flash *spd;
432 int checkedlen;
432 spd = sp; 433 spd = sp;
433 434
434 dbg_summary("Dirent at 0x%08x-0x%08x\n", 435 dbg_summary("Dirent at 0x%08x-0x%08x\n",
@@ -436,12 +437,25 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
436 jeb->offset + je32_to_cpu(spd->offset) + je32_to_cpu(spd->totlen)); 437 jeb->offset + je32_to_cpu(spd->offset) + je32_to_cpu(spd->totlen));
437 438
438 439
439 fd = jffs2_alloc_full_dirent(spd->nsize+1); 440 /* This should never happen, but https://dev.laptop.org/ticket/4184 */
441 checkedlen = strnlen(spd->name, spd->nsize);
442 if (!checkedlen) {
443 printk(KERN_ERR "Dirent at %08x has zero at start of name. Aborting mount.\n",
444 jeb->offset + je32_to_cpu(spd->offset));
445 return -EIO;
446 }
447 if (checkedlen < spd->nsize) {
448 printk(KERN_ERR "Dirent at %08x has zeroes in name. Truncating to %d chars\n",
449 jeb->offset + je32_to_cpu(spd->offset), checkedlen);
450 }
451
452
453 fd = jffs2_alloc_full_dirent(checkedlen+1);
440 if (!fd) 454 if (!fd)
441 return -ENOMEM; 455 return -ENOMEM;
442 456
443 memcpy(&fd->name, spd->name, spd->nsize); 457 memcpy(&fd->name, spd->name, checkedlen);
444 fd->name[spd->nsize] = 0; 458 fd->name[checkedlen] = 0;
445 459
446 ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(spd->pino)); 460 ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(spd->pino));
447 if (!ic) { 461 if (!ic) {
@@ -455,7 +469,7 @@ static int jffs2_sum_process_sum_data(struct jffs2_sb_info *c, struct jffs2_eras
455 fd->next = NULL; 469 fd->next = NULL;
456 fd->version = je32_to_cpu(spd->version); 470 fd->version = je32_to_cpu(spd->version);
457 fd->ino = je32_to_cpu(spd->ino); 471 fd->ino = je32_to_cpu(spd->ino);
458 fd->nhash = full_name_hash(fd->name, spd->nsize); 472 fd->nhash = full_name_hash(fd->name, checkedlen);
459 fd->type = spd->type; 473 fd->type = spd->type;
460 474
461 jffs2_add_fd_to_list(c, fd, &ic->scan_dents); 475 jffs2_add_fd_to_list(c, fd, &ic->scan_dents);