xfs: check that dir block entries don't off the end of the buffer

[thirdparty/xfsprogs-dev.git] / libxfs / xfs_dir2_data.c

diff --git a/libxfs/xfs_dir2_data.c b/libxfs/xfs_dir2_data.c
index c8138968b0479fdc2971ecc8174bb7d28e32741d..9e3f4a6caddd3698c432463ced4252f190889982 100644 (file)
--- a/libxfs/xfs_dir2_data.c
+++ b/libxfs/xfs_dir2_data.c
@@ -133,6 +133,8 @@ __xfs_dir3_data_check(
                 */
                if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
                        XFS_WANT_CORRUPTED_RETURN(mp, lastfree == 0);
+                       XFS_WANT_CORRUPTED_RETURN(mp, endp >=
+                                       p + be16_to_cpu(dup->length));
                        XFS_WANT_CORRUPTED_RETURN(mp,
                                be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) ==
                                               (char *)dup - (char *)hdr);
@@ -161,6 +163,8 @@ __xfs_dir3_data_check(
                XFS_WANT_CORRUPTED_RETURN(mp, dep->namelen != 0);
                XFS_WANT_CORRUPTED_RETURN(mp,
                        !xfs_dir_ino_validate(mp, be64_to_cpu(dep->inumber)));
+               XFS_WANT_CORRUPTED_RETURN(mp, endp >=
+                               p + ops->data_entsize(dep->namelen));
                XFS_WANT_CORRUPTED_RETURN(mp,
                        be16_to_cpu(*ops->data_entry_tag_p(dep)) ==
                                               (char *)dep - (char *)hdr);