hfs: fix a potential buffer overflow (ec81aecb) · Commits · 戴 / test

fs/hfs/catalog.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode src_dir, struct qstr src_name,
	err = hfs_brec_find(&src_fd);		err = hfs_brec_find(&src_fd);
	if (err)		if (err)
	goto out;		goto out;
			if (src_fd.entrylength > sizeof(entry) \|\| src_fd.entrylength < 0) {
			err = -EIO;
			goto out;
			}

	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,		hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
	src_fd.entrylength);		src_fd.entrylength);

+11 −0

Original line number	Original line	Diff line number	Diff line
	@@ -79,6 +79,11 @@ static int hfs_readdir(struct file filp, void dirent, filldir_t filldir)
	filp->f_pos++;		filp->f_pos++;
	/* fall through */		/* fall through */
	case 1:		case 1:
			if (fd.entrylength > sizeof(entry) \|\| fd.entrylength < 0) {
			err = -EIO;
			goto out;
			}

	hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
	if (entry.type != HFS_CDR_THD) {		if (entry.type != HFS_CDR_THD) {
	printk(KERN_ERR "hfs: bad catalog folder thread\n");		printk(KERN_ERR "hfs: bad catalog folder thread\n");
	@@ -109,6 +114,12 @@ static int hfs_readdir(struct file filp, void dirent, filldir_t filldir)
	err = -EIO;		err = -EIO;
	goto out;		goto out;
	}		}

			if (fd.entrylength > sizeof(entry) \|\| fd.entrylength < 0) {
			err = -EIO;
			goto out;
			}

	hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
	type = entry.type;		type = entry.type;
	len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);		len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);

+6 −1

Original line number	Original line	Diff line number	Diff line
	@@ -409,8 +409,13 @@ static int hfs_fill_super(struct super_block sb, void data, int silent)
	/* try to get the root inode */		/* try to get the root inode */
	hfs_find_init(HFS_SB(sb)->cat_tree, &fd);		hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
	res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);		res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
	if (!res)		if (!res) {
			if (fd.entrylength > sizeof(rec) \|\| fd.entrylength < 0) {
			res = -EIO;
			goto bail;
			}
	hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
			}
	if (res) {		if (res) {
	hfs_find_exit(&fd);		hfs_find_exit(&fd);
	goto bail_no_root;		goto bail_no_root;