ocfs2: add bounds checking to ocfs2_check_dir_entry()

static int ocfs2_check_dir_entry(struct inode *dir,

				 struct ocfs2_dir_entry *de,

				 struct buffer_head *bh,

				 char *buf,

				 unsigned int size,

				 unsigned long offset)

{

	const char *error_msg = NULL;

	const int rlen = le16_to_cpu(de->rec_len);

	const unsigned long next_offset = ((char *) de - buf) + rlen;

	if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))

		error_msg = "rec_len is smaller than minimal";

		error_msg = "rec_len % 4 != 0";

	else if (unlikely(rlen < OCFS2_DIR_REC_LEN(de->name_len)))

		error_msg = "rec_len is too small for name_len";

	else if (unlikely(

		 ((char *) de - bh->b_data) + rlen > dir->i_sb->s_blocksize))

		error_msg = "directory entry across blocks";

	else if (unlikely(next_offset > size))

		error_msg = "directory entry overrun";

	else if (unlikely(next_offset > size - OCFS2_DIR_REC_LEN(1)) &&

		 next_offset != size)

		error_msg = "directory entry too close to end";

	if (unlikely(error_msg != NULL))

		mlog(ML_ERROR, "bad entry in directory #%llu: %s - "

	de_buf = first_de;

	dlimit = de_buf + bytes;

	while (de_buf < dlimit) {

	while (de_buf < dlimit - OCFS2_DIR_MEMBER_LEN) {

		/* this code is executed quadratically often */

		/* do minimal checking `by hand' */

		de = (struct ocfs2_dir_entry *) de_buf;

		if (de_buf + namelen <= dlimit &&

		if (de->name + namelen <= dlimit &&

		    ocfs2_match(namelen, name, de)) {

			/* found a match - just to be sure, do a full check */

			if (!ocfs2_check_dir_entry(dir, de, bh, offset)) {

			if (!ocfs2_check_dir_entry(dir, de, bh, first_de,

						   bytes, offset)) {

				ret = -1;

				goto bail;

			}

	pde = NULL;

	de = (struct ocfs2_dir_entry *) first_de;

	while (i < bytes) {

		if (!ocfs2_check_dir_entry(dir, de, bh, i)) {

		if (!ocfs2_check_dir_entry(dir, de, bh, first_de, bytes, i)) {

			status = -EIO;

			mlog_errno(status);

			goto bail;

		/* These checks should've already been passed by the

		 * prepare function, but I guess we can leave them

		 * here anyway. */

		if (!ocfs2_check_dir_entry(dir, de, insert_bh, offset)) {

		if (!ocfs2_check_dir_entry(dir, de, insert_bh, data_start,

					   size, offset)) {

			retval = -ENOENT;

			goto bail;

		}

		}

		de = (struct ocfs2_dir_entry *) (data->id_data + ctx->pos);

		if (!ocfs2_check_dir_entry(inode, de, di_bh, ctx->pos)) {

		if (!ocfs2_check_dir_entry(inode, de, di_bh, (char *)data->id_data,

					   i_size_read(inode), ctx->pos)) {

			/* On error, skip the f_pos to the end. */

			ctx->pos = i_size_read(inode);

			break;

		while (ctx->pos < i_size_read(inode)

		       && offset < sb->s_blocksize) {

			de = (struct ocfs2_dir_entry *) (bh->b_data + offset);

			if (!ocfs2_check_dir_entry(inode, de, bh, offset)) {

			if (!ocfs2_check_dir_entry(inode, de, bh, bh->b_data,

						   sb->s_blocksize, offset)) {

				/* On error, skip the f_pos to the

				   next block. */

				ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;

	struct super_block *sb = dir->i_sb;

	struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;

	struct ocfs2_dir_entry *de, *last_de = NULL;

	char *de_buf, *limit;

	char *first_de, *de_buf, *limit;

	unsigned long offset = 0;

	unsigned int rec_len, new_rec_len, free_space = dir->i_sb->s_blocksize;

	else

		free_space = dir->i_sb->s_blocksize - i_size_read(dir);

	de_buf = di->id2.i_data.id_data;

	first_de = di->id2.i_data.id_data;

	de_buf = first_de;

	limit = de_buf + i_size_read(dir);

	rec_len = OCFS2_DIR_REC_LEN(namelen);

	while (de_buf < limit) {

		de = (struct ocfs2_dir_entry *)de_buf;

		if (!ocfs2_check_dir_entry(dir, de, di_bh, offset)) {

		if (!ocfs2_check_dir_entry(dir, de, di_bh, first_de,

					   i_size_read(dir), offset)) {

			ret = -ENOENT;

			goto out;

		}

			/* move to next block */

			de = (struct ocfs2_dir_entry *) bh->b_data;

		}

		if (!ocfs2_check_dir_entry(dir, de, bh, offset)) {

		if (!ocfs2_check_dir_entry(dir, de, bh, bh->b_data, blocksize,

					   offset)) {

			status = -ENOENT;

			goto bail;

		}