diff options
Diffstat (limited to 'fs/squashfs/namei.c')
| -rw-r--r-- | fs/squashfs/namei.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7a9464d08cf6..5d922a6701ab 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c | |||
| @@ -176,6 +176,11 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, | |||
| 176 | length += sizeof(dirh); | 176 | length += sizeof(dirh); |
| 177 | 177 | ||
| 178 | dir_count = le32_to_cpu(dirh.count) + 1; | 178 | dir_count = le32_to_cpu(dirh.count) + 1; |
| 179 | |||
| 180 | /* dir_count should never be larger than 256 */ | ||
| 181 | if (dir_count > 256) | ||
| 182 | goto data_error; | ||
| 183 | |||
| 179 | while (dir_count--) { | 184 | while (dir_count--) { |
| 180 | /* | 185 | /* |
| 181 | * Read directory entry. | 186 | * Read directory entry. |
| @@ -187,6 +192,10 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, | |||
| 187 | 192 | ||
| 188 | size = le16_to_cpu(dire->size) + 1; | 193 | size = le16_to_cpu(dire->size) + 1; |
| 189 | 194 | ||
| 195 | /* size should never be larger than SQUASHFS_NAME_LEN */ | ||
| 196 | if (size > SQUASHFS_NAME_LEN) | ||
| 197 | goto data_error; | ||
| 198 | |||
| 190 | err = squashfs_read_metadata(dir->i_sb, dire->name, | 199 | err = squashfs_read_metadata(dir->i_sb, dire->name, |
| 191 | &block, &offset, size); | 200 | &block, &offset, size); |
| 192 | if (err < 0) | 201 | if (err < 0) |
| @@ -228,6 +237,9 @@ exit_lookup: | |||
| 228 | d_add(dentry, inode); | 237 | d_add(dentry, inode); |
| 229 | return ERR_PTR(0); | 238 | return ERR_PTR(0); |
| 230 | 239 | ||
| 240 | data_error: | ||
| 241 | err = -EIO; | ||
| 242 | |||
| 231 | read_failure: | 243 | read_failure: |
| 232 | ERROR("Unable to read directory block [%llx:%x]\n", | 244 | ERROR("Unable to read directory block [%llx:%x]\n", |
| 233 | squashfs_i(dir)->start + msblk->directory_table, | 245 | squashfs_i(dir)->start + msblk->directory_table, |