diff options
| author | Phillip Lougher <phillip@squashfs.org.uk> | 2013-09-04 02:58:12 +0100 |
|---|---|---|
| committer | Phillip Lougher <phillip@squashfs.org.uk> | 2013-09-06 04:57:54 +0100 |
| commit | 9e012423869e1efbae3762b87ceab509027231c9 (patch) | |
| tree | dd451cda9f1a82f6ea83c645807bb459c51b4bf8 /fs/squashfs/dir.c | |
| parent | f960cae5357d8e52b8af91e8b1621cae565dffb3 (diff) | |
| download | linux-9e012423869e1efbae3762b87ceab509027231c9.tar.gz | |
Squashfs: add corruption check for type in squashfs_readdir()
We read the type field from disk. This value should be sanity checked for correctness to avoid an out of bounds access when reading the squashfs_filetype_table array. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Diffstat (limited to 'fs/squashfs/dir.c')
| -rw-r--r-- | fs/squashfs/dir.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c index bd7155b198a9..d8c2d747be28 100644 --- a/fs/squashfs/dir.c +++ b/fs/squashfs/dir.c @@ -112,8 +112,8 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx) struct inode *inode = file_inode(file); struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; u64 block = squashfs_i(inode)->start + msblk->directory_table; - int offset = squashfs_i(inode)->offset, length, type, err; - unsigned int inode_number, dir_count, size; + int offset = squashfs_i(inode)->offset, length, err; + unsigned int inode_number, dir_count, size, type; struct squashfs_dir_header dirh; struct squashfs_dir_entry *dire; @@ -206,6 +206,9 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx) ((short) le16_to_cpu(dire->inode_number)); type = le16_to_cpu(dire->type); + if (type > SQUASHFS_MAX_DIR_TYPE) + goto failed_read; + if (!dir_emit(ctx, dire->name, size, inode_number, squashfs_filetype_table[type])) |