btrfs: Verify dir_item in replay_xattr_deletes

replay_xattr_deletes calls btrfs_search_slot to get buffer and reads
name.

Call verify_dir_item to check name_len in replay_xattr_deletes to avoid
reading out of boundary.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 11cf38fb3a495e0c12a62c0905a3fccabc3484a8..06c7ceb07282a516924dffd472b80b81a7595801 100644 (file)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2111,6 +2111,7 @@ static int replay_xattr_deletes(struct btrfs_trans_handle *trans,
                              struct btrfs_path *path,
                              const u64 ino)
 {
+       struct btrfs_fs_info *fs_info = root->fs_info;
        struct btrfs_key search_key;
        struct btrfs_path *log_path;
        int i;
@@ -2152,6 +2153,12 @@ process_leaf:
                        u32 this_len = sizeof(*di) + name_len + data_len;
                        char *name;
 
+                       ret = verify_dir_item(fs_info, path->nodes[0],
+                                             path->slots[0], di);
+                       if (ret) {
+                               ret = -EIO;
+                               goto out;
+                       }
                        name = kmalloc(name_len, GFP_NOFS);
                        if (!name) {
                                ret = -ENOMEM;