From: Sheng Yong <shengyong1@huawei.com>
Date: Mon, 7 Jan 2019 07:02:34 +0000 (+0800)
Subject: f2fs: check if file namelen exceeds max value
X-Git-Tag: v4.4.233~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=559eff3dca325947bc3d88d17f4c454111884be5;p=thirdparty%2Fkernel%2Fstable.git

f2fs: check if file namelen exceeds max value

[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]

Dentry bitmap is not enough to detect incorrect dentries. So this patch
also checks the namelen value of a dentry.

Signed-off-by: Gong Chen <gongchen4@huawei.com>
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 5411d6667781f..e2ff0eb16f89c 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -807,7 +807,8 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
 
 		/* check memory boundary before moving forward */
 		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
-		if (unlikely(bit_pos > d->max)) {
+		if (unlikely(bit_pos > d->max ||
+				le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
 			f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
 				"%s: corrupted namelen=%d, run fsck to fix.",
 				__func__, le16_to_cpu(de->name_len));