Squashfs: add corruption check for type in squashfs_readdir() (9e012423) · Commits · e / devices / android_kernel_xiaomi_markw

fs/squashfs/dir.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -112,8 +112,8 @@ static int squashfs_readdir(struct file file, struct dir_context ctx)
		struct inode *inode = file_inode(file);
		struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
		u64 block = squashfs_i(inode)->start + msblk->directory_table;
		int offset = squashfs_i(inode)->offset, length, type, err;
		unsigned int inode_number, dir_count, size;
		int offset = squashfs_i(inode)->offset, length, err;
		unsigned int inode_number, dir_count, size, type;
		struct squashfs_dir_header dirh;
		struct squashfs_dir_entry *dire;

		@@ -206,6 +206,9 @@ static int squashfs_readdir(struct file file, struct dir_context ctx)
		((short) le16_to_cpu(dire->inode_number));
		type = le16_to_cpu(dire->type);

		if (type > SQUASHFS_MAX_DIR_TYPE)
		goto failed_read;

		if (!dir_emit(ctx, dire->name, size,
		inode_number,
		squashfs_filetype_table[type]))

+4 −1

Original line number	Diff line number	Diff line
		@@ -87,7 +87,7 @@
		#define SQUASHFS_COMP_OPTS(flags) SQUASHFS_BIT(flags, \
		SQUASHFS_COMP_OPT)

		/* Max number of types and file types */
		/* Inode types including extended types */
		#define SQUASHFS_DIR_TYPE 1
		#define SQUASHFS_REG_TYPE 2
		#define SQUASHFS_SYMLINK_TYPE 3
		@@ -103,6 +103,9 @@
		#define SQUASHFS_LFIFO_TYPE 13
		#define SQUASHFS_LSOCKET_TYPE 14

		/* Max type value stored in directory entry */
		#define SQUASHFS_MAX_DIR_TYPE 7

		/* Xattr types */
		#define SQUASHFS_XATTR_USER 0
		#define SQUASHFS_XATTR_TRUSTED 1