From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 17 Jul 2013 12:20:25 +0000 (+0300)
Subject: Squashfs: sanity check information from disk
X-Git-Tag: v3.12-rc1~55^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28d7b5684ba98e163ba37779fd09de01fac5261d;p=thirdparty%2Fkernel%2Flinux.git

Squashfs: sanity check information from disk

We read the size of the name from the disk, but a larger name than
expected would cause memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---

diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 7834a517f7f42..f866d42a8b6f3 100644
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb,
 			int len)
 {
 	struct squashfs_sb_info *msblk = sb->s_fs_info;
-	int i, size, length = 0, err;
+	int i, length = 0, err;
+	unsigned int size;
 	struct squashfs_dir_index *index;
 	char *str;
 
@@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb,
 
 
 		size = le32_to_cpu(index->size) + 1;
+		if (size > SQUASHFS_NAME_LEN) {
+			err = -EINVAL;
+			break;
+		}
 
 		err = squashfs_read_metadata(sb, index->name, &index_start,
 					&index_offset, size);