From aac4e4198eff7f9551d586c55342403d49249d95 Mon Sep 17 00:00:00 2001 From: Naohiro Aota Date: Tue, 12 Jul 2011 02:54:13 +0900 Subject: hfsplus: Add additional range check to handle on-disk corruptions 'recoff' is read from disk and used for an argument to memcpy, so if the value read from disk is larger than the page size, it result to "general protection fault". This patch add additional range check for the value, so that disk fuzz won't cause such fault. Signed-off-by: Naohiro Aota Signed-off-by: Christoph Hellwig --- fs/hfsplus/brec.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'fs') diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c index 2312de34bd4..2a734cfccc9 100644 --- a/fs/hfsplus/brec.c +++ b/fs/hfsplus/brec.c @@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec) node->tree->node_size - (rec + 1) * 2); if (!recoff) return 0; + if (recoff > node->tree->node_size - 2) { + printk(KERN_ERR "hfs: recoff %d too large\n", recoff); + return 0; + } retval = hfs_bnode_read_u16(node, recoff) + 2; if (retval > node->tree->max_key_len + 2) { -- cgit v1.2.3