]> Pileus Git - ~andy/linux/commitdiff
projects / ~andy / linux / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f960cae)
Squashfs: add corruption check for type in squashfs_readdir()
authorPhillip Lougher <phillip@squashfs.org.uk>
Wed, 4 Sep 2013 01:58:12 +0000 (02:58 +0100)
committerPhillip Lougher <phillip@squashfs.org.uk>
Fri, 6 Sep 2013 03:57:54 +0000 (04:57 +0100)
We read the type field from disk.  This value should be sanity
checked for correctness to avoid an out of bounds access when
reading the squashfs_filetype_table array.

Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
fs/squashfs/dir.c patch | blob | history
fs/squashfs/squashfs_fs.h patch | blob | history

diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c
index bd7155b198a93f4caebf90674824786a656a546b..d8c2d747be28d183542a0f2bd4a5d18060436783 100644 (file)
--- a/fs/squashfs/dir.c
+++ b/fs/squashfs/dir.c
@@ -112,8 +112,8 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx)
        struct inode *inode = file_inode(file);
        struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
        u64 block = squashfs_i(inode)->start + msblk->directory_table;
-       int offset = squashfs_i(inode)->offset, length, type, err;
-       unsigned int inode_number, dir_count, size;
+       int offset = squashfs_i(inode)->offset, length, err;
+       unsigned int inode_number, dir_count, size, type;
        struct squashfs_dir_header dirh;
        struct squashfs_dir_entry *dire;
 
@@ -206,6 +206,9 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx)
                                ((short) le16_to_cpu(dire->inode_number));
                        type = le16_to_cpu(dire->type);
 
+                       if (type > SQUASHFS_MAX_DIR_TYPE)
+                               goto failed_read;
+
                        if (!dir_emit(ctx, dire->name, size,
                                        inode_number,
                                        squashfs_filetype_table[type]))
diff --git a/fs/squashfs/squashfs_fs.h b/fs/squashfs/squashfs_fs.h
index 9e2349d07cb1c98334fd19ffbeb5441361f65edf..4b2beda49498a39036d4db729d539042d1d750d5 100644 (file)
--- a/fs/squashfs/squashfs_fs.h
+++ b/fs/squashfs/squashfs_fs.h
@@ -87,7 +87,7 @@
 #define SQUASHFS_COMP_OPTS(flags)              SQUASHFS_BIT(flags, \
                                                SQUASHFS_COMP_OPT)
 
-/* Max number of types and file types */
+/* Inode types including extended types */
 #define SQUASHFS_DIR_TYPE              1
 #define SQUASHFS_REG_TYPE              2
 #define SQUASHFS_SYMLINK_TYPE          3
@@ -103,6 +103,9 @@
 #define SQUASHFS_LFIFO_TYPE            13
 #define SQUASHFS_LSOCKET_TYPE          14
 
+/* Max type value stored in directory entry */
+#define SQUASHFS_MAX_DIR_TYPE          7
+
 /* Xattr types */
 #define SQUASHFS_XATTR_USER             0
 #define SQUASHFS_XATTR_TRUSTED          1
Andy's Linux Kernel repo