udf: Check path length when reading symlink (0e5cc9a4) · Commits · e / devices / android_kernel_oneplus_sm7250

fs/udf/dir.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -167,7 +167,8 @@ static int udf_readdir(struct file file, struct dir_context ctx)
	continue;		continue;
	}		}

	flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
			UDF_NAME_LEN);
	if (!flen)		if (!flen)
	continue;		continue;

fs/udf/namei.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -233,7 +233,8 @@ static struct fileIdentDesc udf_find_entry(struct inode dir,
	if (!lfi)		if (!lfi)
	continue;		continue;

	flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);		flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
			UDF_NAME_LEN);
	if (flen && udf_match(flen, fname, child->len, child->name))		if (flen && udf_match(flen, fname, child->len, child->name))
	goto out_ok;		goto out_ok;
	}		}

fs/udf/symlink.c

+26 −5

Original line number	Original line	Diff line number	Diff line
	@@ -30,13 +30,16 @@
	#include <linux/buffer_head.h>		#include <linux/buffer_head.h>
	#include "udf_i.h"		#include "udf_i.h"

	static void udf_pc_to_char(struct super_block sb, unsigned char from,		static int udf_pc_to_char(struct super_block sb, unsigned char from,
	int fromlen, unsigned char *to)		int fromlen, unsigned char *to, int tolen)
	{		{
	struct pathComponent *pc;		struct pathComponent *pc;
	int elen = 0;		int elen = 0;
			int comp_len;
	unsigned char *p = to;		unsigned char *p = to;

			/* Reserve one byte for terminating \0 */
			tolen--;
	while (elen < fromlen) {		while (elen < fromlen) {
	pc = (struct pathComponent *)(from + elen);		pc = (struct pathComponent *)(from + elen);
	switch (pc->componentType) {		switch (pc->componentType) {
	@@ -49,22 +52,37 @@ static void udf_pc_to_char(struct super_block sb, unsigned char from,
	break;		break;
	/* Fall through */		/* Fall through */
	case 2:		case 2:
			if (tolen == 0)
			return -ENAMETOOLONG;
	p = to;		p = to;
	*p++ = '/';		*p++ = '/';
			tolen--;
	break;		break;
	case 3:		case 3:
			if (tolen < 3)
			return -ENAMETOOLONG;
	memcpy(p, "../", 3);		memcpy(p, "../", 3);
	p += 3;		p += 3;
			tolen -= 3;
	break;		break;
	case 4:		case 4:
			if (tolen < 2)
			return -ENAMETOOLONG;
	memcpy(p, "./", 2);		memcpy(p, "./", 2);
	p += 2;		p += 2;
			tolen -= 2;
	/* that would be . - just ignore */		/* that would be . - just ignore */
	break;		break;
	case 5:		case 5:
	p += udf_get_filename(sb, pc->componentIdent, p,		comp_len = udf_get_filename(sb, pc->componentIdent,
	pc->lengthComponentIdent);		pc->lengthComponentIdent,
			p, tolen);
			p += comp_len;
			tolen -= comp_len;
			if (tolen == 0)
			return -ENAMETOOLONG;
	*p++ = '/';		*p++ = '/';
			tolen--;
	break;		break;
	}		}
	elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;		elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
	@@ -73,6 +91,7 @@ static void udf_pc_to_char(struct super_block sb, unsigned char from,
	p[-1] = '\0';		p[-1] = '\0';
	else		else
	p[0] = '\0';		p[0] = '\0';
			return 0;
	}		}

	static int udf_symlink_filler(struct file file, struct page page)		static int udf_symlink_filler(struct file file, struct page page)
	@@ -108,8 +127,10 @@ static int udf_symlink_filler(struct file file, struct page page)
	symlink = bh->b_data;		symlink = bh->b_data;
	}		}

	udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);		err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
	brelse(bh);		brelse(bh);
			if (err)
			goto out_unlock_inode;

	up_read(&iinfo->i_data_sem);		up_read(&iinfo->i_data_sem);
	SetPageUptodate(page);		SetPageUptodate(page);

fs/udf/udfdecl.h

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -211,7 +211,8 @@ udf_get_lb_pblock(struct super_block sb, struct kernel_lb_addr loc,
	}		}

	/* unicode.c */		/* unicode.c */
	extern int udf_get_filename(struct super_block , uint8_t , uint8_t *, int);		extern int udf_get_filename(struct super_block , uint8_t , int, uint8_t *,
			int);
	extern int udf_put_filename(struct super_block , const uint8_t , uint8_t *,		extern int udf_put_filename(struct super_block , const uint8_t , uint8_t *,
	int);		int);
	extern int udf_build_ustr(struct ustr , dstring , int);		extern int udf_build_ustr(struct ustr , dstring , int);

fs/udf/unicode.c

+16 −12

Original line number	Original line	Diff line number	Diff line
	@@ -28,7 +28,8 @@

	#include "udf_sb.h"		#include "udf_sb.h"

	static int udf_translate_to_linux(uint8_t , uint8_t , int, uint8_t *, int);		static int udf_translate_to_linux(uint8_t , int, uint8_t , int, uint8_t *,
			int);

	static int udf_char_to_ustr(struct ustr dest, const uint8_t src, int strlen)		static int udf_char_to_ustr(struct ustr dest, const uint8_t src, int strlen)
	{		{
	@@ -333,8 +334,8 @@ static int udf_NLStoCS0(struct nls_table nls, dstring ocu, struct ustr *uni,
	return u_len + 1;		return u_len + 1;
	}		}

	int udf_get_filename(struct super_block sb, uint8_t sname, uint8_t *dname,		int udf_get_filename(struct super_block sb, uint8_t sname, int slen,
	int flen)		uint8_t *dname, int dlen)
	{		{
	struct ustr filename, unifilename;		struct ustr filename, unifilename;
	int len = 0;		int len = 0;
	@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block sb, uint8_t sname, uint8_t *dname,
	if (!unifilename)		if (!unifilename)
	goto out1;		goto out1;

	if (udf_build_ustr_exact(unifilename, sname, flen))		if (udf_build_ustr_exact(unifilename, sname, slen))
	goto out2;		goto out2;

	if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {		if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
	@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block sb, uint8_t sname, uint8_t *dname,
	} else		} else
	goto out2;		goto out2;

	len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,		len = udf_translate_to_linux(dname, dlen,
			filename->u_name, filename->u_len,
	unifilename->u_name, unifilename->u_len);		unifilename->u_name, unifilename->u_len);
	out2:		out2:
	kfree(unifilename);		kfree(unifilename);
	@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block sb, const uint8_t sname,
	#define EXT_MARK '.'		#define EXT_MARK '.'
	#define CRC_MARK '#'		#define CRC_MARK '#'
	#define EXT_SIZE 5		#define EXT_SIZE 5
			/* Number of chars we need to store generated CRC to make filename unique */
			#define CRC_LEN 5

	static int udf_translate_to_linux(uint8_t newName, uint8_t udfName,		static int udf_translate_to_linux(uint8_t *newName, int newLen,
	int udfLen, uint8_t *fidName,		uint8_t *udfName, int udfLen,
	int fidNameLen)		uint8_t *fidName, int fidNameLen)
	{		{
	int index, newIndex = 0, needsCRC = 0;		int index, newIndex = 0, needsCRC = 0;
	int extIndex = 0, newExtIndex = 0, hasExt = 0;		int extIndex = 0, newExtIndex = 0, hasExt = 0;
	@@ -439,7 +443,7 @@ static int udf_translate_to_linux(uint8_t newName, uint8_t udfName,
	newExtIndex = newIndex;		newExtIndex = newIndex;
	}		}
	}		}
	if (newIndex < 256)		if (newIndex < newLen)
	newName[newIndex++] = curr;		newName[newIndex++] = curr;
	else		else
	needsCRC = 1;		needsCRC = 1;
	@@ -467,13 +471,13 @@ static int udf_translate_to_linux(uint8_t newName, uint8_t udfName,
	}		}
	ext[localExtIndex++] = curr;		ext[localExtIndex++] = curr;
	}		}
	maxFilenameLen = 250 - localExtIndex;		maxFilenameLen = newLen - CRC_LEN - localExtIndex;
	if (newIndex > maxFilenameLen)		if (newIndex > maxFilenameLen)
	newIndex = maxFilenameLen;		newIndex = maxFilenameLen;
	else		else
	newIndex = newExtIndex;		newIndex = newExtIndex;
	} else if (newIndex > 250)		} else if (newIndex > newLen - CRC_LEN)
	newIndex = 250;		newIndex = newLen - CRC_LEN;
	newName[newIndex++] = CRC_MARK;		newName[newIndex++] = CRC_MARK;
	valueCRC = crc_itu_t(0, fidName, fidNameLen);		valueCRC = crc_itu_t(0, fidName, fidNameLen);
	newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8);		newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8);