From: Dan Carpenter Date: Wed, 17 Jul 2013 12:20:25 +0000 (+0300) Subject: Squashfs: sanity check information from disk X-Git-Tag: firefly_0821_release~4090^2~73 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=639839d89f7b7fd15160389f57edf06b93205b2d;p=firefly-linux-kernel-4.4.55.git Squashfs: sanity check information from disk We read the size of the name from the disk, but a larger name than expected would cause memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: Phillip Lougher --- diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7834a517f7f4..f866d42a8b6f 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c @@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb, int len) { struct squashfs_sb_info *msblk = sb->s_fs_info; - int i, size, length = 0, err; + int i, length = 0, err; + unsigned int size; struct squashfs_dir_index *index; char *str; @@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb, size = le32_to_cpu(index->size) + 1; + if (size > SQUASHFS_NAME_LEN) { + err = -EINVAL; + break; + } err = squashfs_read_metadata(sb, index->name, &index_start, &index_offset, size);