fs/xfs: Incorrect short form directory data boundary check

After parsing of the current entry, the entry pointer is advanced
to the next entry at the end of the "for" loop. In case where the
last entry is at the end of the data boundary, the advanced entry
pointer can point off the data boundary. The subsequent boundary
check for the advanced entry pointer can cause a failure.

The fix is to include the boundary check into the "for" loop
condition.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Tested-by: Marta Lewandowska <mlewando@redhat.com>

diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index b91cd32b49ab5bd67530b15311f223138bb2c385..ebf962793fa75562cffb1b99cf311d802d0b1f82 100644 (file)
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -810,7 +810,8 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
        if (iterate_dir_call_hook (parent, "..", &ctx))
          return 1;
 
-       for (i = 0; i < head->count; i++)
+       for (i = 0; i < head->count &&
+            (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++)
          {
            grub_uint64_t ino;
            grub_uint8_t *inopos = grub_xfs_inline_de_inopos(dir->data, de);
@@ -845,10 +846,6 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
            de->name[de->len] = c;
 
            de = grub_xfs_inline_next_de(dir->data, head, de);
-
-           if ((grub_uint8_t *) de >= (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
-             return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
-
          }
        break;
       }