Otherwise it's possible for a corrupt file system or bad user input to
cause debugfs to crash if the resulting inode number is insanely
large.
This problem was found using American Fuzzy Lop.
Reported-by: Adam Buchbinder <abuchbinder@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
*/
if ((len > 2) && (str[0] == '<') && (str[len-1] == '>')) {
ino = strtoul(str+1, &end, 0);
- if (*end=='>')
+ if (*end=='>' && (ino <= current_fs->super->s_inodes_count))
return ino;
}
com_err(str, retval, 0);
return 0;
}
+ if (ino > current_fs->super->s_inodes_count) {
+ com_err(str, 0, "resolves to an illegal inode number: %u\n",
+ ino);
+ return 0;
+ }
return ino;
}