diff options
author | John Stultz <john.stultz@linaro.org> | 2011-04-18 13:19:07 -0700 |
---|---|---|
committer | John Stultz <john.stultz@linaro.org> | 2011-04-18 13:19:07 -0700 |
commit | 775d71e49c65f1f6aa57776ea1da62988fc9a30a (patch) | |
tree | ce03cae544bacc8dda67422fd66a543dd1ae3c99 /fs/squashfs/namei.c | |
parent | 18e82d2b952ab57fc1c8a69d4fa14e562f2aecf6 (diff) | |
parent | c1a952f48517b5545075d8eb1a5d543099bd2ae1 (diff) |
Merge branch 'upstream/linaro.38' into linaro-android.38KNOWN_GOOD
Diffstat (limited to 'fs/squashfs/namei.c')
-rw-r--r-- | fs/squashfs/namei.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 7a9464d08cf..5d922a6701a 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c @@ -176,6 +176,11 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, length += sizeof(dirh); dir_count = le32_to_cpu(dirh.count) + 1; + + /* dir_count should never be larger than 256 */ + if (dir_count > 256) + goto data_error; + while (dir_count--) { /* * Read directory entry. @@ -187,6 +192,10 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry, size = le16_to_cpu(dire->size) + 1; + /* size should never be larger than SQUASHFS_NAME_LEN */ + if (size > SQUASHFS_NAME_LEN) + goto data_error; + err = squashfs_read_metadata(dir->i_sb, dire->name, &block, &offset, size); if (err < 0) @@ -228,6 +237,9 @@ exit_lookup: d_add(dentry, inode); return ERR_PTR(0); +data_error: + err = -EIO; + read_failure: ERROR("Unable to read directory block [%llx:%x]\n", squashfs_i(dir)->start + msblk->directory_table, |