diff options
author | Zhihao Cheng <chengzhihao1@huawei.com> | 2020-06-16 09:11:44 +0200 |
---|---|---|
committer | Richard Weinberger <richard@nod.at> | 2020-12-13 22:12:32 +0100 |
commit | a33e30a0e023e9d1866866ca895c7789f48445e7 (patch) | |
tree | 383b2fd9b04365a17ed31c4b624d278cf8e23607 /fs/ubifs/recovery.c | |
parent | Revert "ubifs: Fix out-of-bounds memory access caused by abnormal value of no... (diff) | |
download | linux-a33e30a0e023e9d1866866ca895c7789f48445e7.tar.xz linux-a33e30a0e023e9d1866866ca895c7789f48445e7.zip |
ubifs: Pass node length in all node dumping callers
Function ubifs_dump_node() has been modified to avoid memory oob
accessing while dumping node, node length (corresponding to the
size of allocated memory for node) should be passed into all node
dumping callers.
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Diffstat (limited to 'fs/ubifs/recovery.c')
-rw-r--r-- | fs/ubifs/recovery.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/ubifs/recovery.c b/fs/ubifs/recovery.c index f116f7b3f9e5..f0d51dd21c9e 100644 --- a/fs/ubifs/recovery.c +++ b/fs/ubifs/recovery.c @@ -352,11 +352,11 @@ out_free: ubifs_err(c, "failed to recover master node"); if (mst1) { ubifs_err(c, "dumping first master node"); - ubifs_dump_node(c, mst1); + ubifs_dump_node(c, mst1, c->leb_size - ((void *)mst1 - buf1)); } if (mst2) { ubifs_err(c, "dumping second master node"); - ubifs_dump_node(c, mst2); + ubifs_dump_node(c, mst2, c->leb_size - ((void *)mst2 - buf2)); } vfree(buf2); vfree(buf1); @@ -469,7 +469,7 @@ static int no_more_nodes(const struct ubifs_info *c, void *buf, int len, * The area after the common header size is not empty, so the common * header must be intact. Check it. */ - if (ubifs_check_node(c, buf, lnum, offs, 1, 0) != -EUCLEAN) { + if (ubifs_check_node(c, buf, len, lnum, offs, 1, 0) != -EUCLEAN) { dbg_rcvry("unexpected bad common header at %d:%d", lnum, offs); return 0; } |