Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d82a56b authored by Fabian Frederick's avatar Fabian Frederick Committed by Jan Kara
Browse files

udf: check partition reference in udf_read_inode() 



We were checking block number without checking partition.
sbi->s_partmaps[iloc->partitionReferenceNum] could lead to
bad memory access. See udf_nfs_get_inode() path for instance.

Signed-off-by: default avatarFabian Frederick <fabf@skynet.be>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 23bcda11

fs/udf/inode.c

+6 −0
Original line number Original line Diff line number Diff line
@@ -1277,6 +1277,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) 
	int ret = -EIO;

	int ret = -EIO;





reread:

reread:

	if (iloc->partitionReferenceNum >= sbi->s_partitions) {

		udf_debug("partition reference: %d > logical volume partitions: %d\n",

			  iloc->partitionReferenceNum, sbi->s_partitions);

		return -EIO;

	}



	if (iloc->logicalBlockNum >=

	if (iloc->logicalBlockNum >=

	    sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {

	    sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {

		udf_debug("block=%d, partition=%d out of range\n",

		udf_debug("block=%d, partition=%d out of range\n",