f2fs: check memory boundary by insane namelen
If namelen is corrupted to have very long value, fill_dentries can copy wrong memory area. Reviewed-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
This commit is contained in:
Jaegeuk Kim
parent
1e771e83ce
commit
4e240d1bab
@ -808,6 +808,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
|
|||||||
de_name.name = d->filename[bit_pos];
|
de_name.name = d->filename[bit_pos];
|
||||||
de_name.len = le16_to_cpu(de->name_len);
|
de_name.len = le16_to_cpu(de->name_len);
|
||||||
|
|
||||||
|
/* check memory boundary before moving forward */
|
||||||
|
bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
|
||||||
|
if (unlikely(bit_pos > d->max)) {
|
||||||
|
f2fs_msg(sbi->sb, KERN_WARNING,
|
||||||
|
"%s: corrupted namelen=%d, run fsck to fix.",
|
||||||
|
__func__, le16_to_cpu(de->name_len));
|
||||||
|
set_sbi_flag(sbi, SBI_NEED_FSCK);
|
||||||
|
err = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
if (f2fs_encrypted_inode(d->inode)) {
|
if (f2fs_encrypted_inode(d->inode)) {
|
||||||
int save_len = fstr->len;
|
int save_len = fstr->len;
|
||||||
|
|
||||||
@ -830,7 +841,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
|
|||||||
if (readdir_ra)
|
if (readdir_ra)
|
||||||
f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
|
f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
|
||||||
|
|
||||||
bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
|
|
||||||
ctx->pos = start_pos + bit_pos;
|
ctx->pos = start_pos + bit_pos;
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user