hfsplus: Add additional range check to handle on-disk corruptions
authorNaohiro Aota <naota@elisp.net>
Mon, 11 Jul 2011 17:54:13 +0000 (02:54 +0900)
committerChristoph Hellwig <hch@lst.de>
Fri, 22 Jul 2011 14:36:56 +0000 (16:36 +0200)
'recoff' is read from disk and used for an argument to memcpy, so if
the value read from disk is larger than the page size, it result to
"general protection fault". This patch add additional range check for
the value, so that disk fuzz won't cause such fault.

Signed-off-by: Naohiro Aota <naota@elisp.net>
Signed-off-by: Christoph Hellwig <hch@lst.de>
fs/hfsplus/brec.c

index 2312de34bd426e0755516042881d3be31ddc33a0..2a734cfccc920263faca60a193e6273457df4b52 100644 (file)
@@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
                        node->tree->node_size - (rec + 1) * 2);
                if (!recoff)
                        return 0;
+               if (recoff > node->tree->node_size - 2) {
+                       printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
+                       return 0;
+               }
 
                retval = hfs_bnode_read_u16(node, recoff) + 2;
                if (retval > node->tree->max_key_len + 2) {