]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a532541)
ntfs: check $EA query-length in ntfs_ea_get
authorHyunchul Lee <hyc.lee@gmail.com>
Mon, 9 Mar 2026 07:06:06 +0000 (16:06 +0900)
committerNamjae Jeon <linkinjeon@kernel.org>
Mon, 16 Mar 2026 11:27:36 +0000 (20:27 +0900)
if ea_info_qlen exceeds all_ea_size, OOB can happen.

Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
fs/ntfs/ea.c patch | blob | blame | history

diff --git a/fs/ntfs/ea.c b/fs/ntfs/ea.c
index d479bf3608c8576fcb1258f40b9ef7a69d4d005d..115e3c5552a33bfa8936e07a9ab26e26ae1d5f6b 100644 (file)
--- a/fs/ntfs/ea.c
+++ b/fs/ntfs/ea.c
@@ -136,6 +136,11 @@ static int ntfs_get_ea(struct inode *inode, const char *name, size_t name_len,
        if (!ea_buf)
                return -ENODATA;
 
+       if (ea_info_qlen > all_ea_size) {
+               err = -EIO;
+               goto free_ea_buf;
+       }
+
        err = ntfs_ea_lookup(ea_buf, ea_info_qlen, name, name_len, &ea_off,
                        &ea_size);
        if (!err) {
A mirror of Linus' kernel repository