diff options
author | Naohiro Aota <naota@elisp.net> | 2011-07-11 19:54:13 +0200 |
---|---|---|
committer | Christoph Hellwig <hch@lst.de> | 2011-07-22 16:36:56 +0200 |
commit | aac4e4198eff7f9551d586c55342403d49249d95 (patch) | |
tree | 9fadb2150044176f1585133d0cf2711c737ddd99 /fs/hfsplus/brec.c | |
parent | hfsplus: Add error propagation for hfsplus_ext_write_extent_locked (diff) | |
download | linux-aac4e4198eff7f9551d586c55342403d49249d95.tar.xz linux-aac4e4198eff7f9551d586c55342403d49249d95.zip |
hfsplus: Add additional range check to handle on-disk corruptions
'recoff' is read from disk and used for an argument to memcpy, so if
the value read from disk is larger than the page size, it result to
"general protection fault". This patch add additional range check for
the value, so that disk fuzz won't cause such fault.
Signed-off-by: Naohiro Aota <naota@elisp.net>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to '')
-rw-r--r-- | fs/hfsplus/brec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c index 2312de34bd42..2a734cfccc92 100644 --- a/fs/hfsplus/brec.c +++ b/fs/hfsplus/brec.c @@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec) node->tree->node_size - (rec + 1) * 2); if (!recoff) return 0; + if (recoff > node->tree->node_size - 2) { + printk(KERN_ERR "hfs: recoff %d too large\n", recoff); + return 0; + } retval = hfs_bnode_read_u16(node, recoff) + 2; if (retval > node->tree->max_key_len + 2) { |