Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754633Ab3GQMUk (ORCPT ); Wed, 17 Jul 2013 08:20:40 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:38142 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754334Ab3GQMUh (ORCPT ); Wed, 17 Jul 2013 08:20:37 -0400 Date: Wed, 17 Jul 2013 15:20:25 +0300 From: Dan Carpenter To: Phillip Lougher Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch v2] Squashfs: sanity check information from disk Message-ID: <20130717122025.GA14232@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1131 Lines: 38 We read the size of the name from the disk, but a larger name than expected would cause memory corruption. Signed-off-by: Dan Carpenter --- v2: style change diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7834a51..bc1334c 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c @@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb, int len) { struct squashfs_sb_info *msblk = sb->s_fs_info; - int i, size, length = 0, err; + int i, length = 0, err; + unsigned int size; struct squashfs_dir_index *index; char *str; @@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb, size = le32_to_cpu(index->size) + 1; + if (size > SQUASHFS_NAME_LEN) { + err = -EINVAL; + break; + } err = squashfs_read_metadata(sb, index->name, &index_start, &index_offset, size); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/