Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f960cae5 authored by Phillip Lougher's avatar Phillip Lougher
Browse files

Squashfs: add corruption check in get_dir_index_using_offset() 



We read the size (of the name) field from disk.  This value should
be sanity checked for correctness to avoid blindly reading
huge amounts of unnecessary data from disk on corruption.

Note, here we're not actually reading the name into a buffer, but
skipping it, and so corruption doesn't cause buffer overflow, merely
lots of unnecessary amounts of data to be read.

Signed-off-by: default avatarPhillip Lougher <phillip@squashfs.org.uk>
parent 68e7f412

fs/squashfs/dir.c

+8 −1
Original line number Diff line number Diff line
@@ -54,6 +54,7 @@ static int get_dir_index_using_offset(struct super_block *sb, 
{

	struct squashfs_sb_info *msblk = sb->s_fs_info;

	int err, i, index, length = 0;

	unsigned int size;

	struct squashfs_dir_index dir_index;



	TRACE("Entered get_dir_index_using_offset, i_count %d, f_pos %lld\n",
@@ -81,8 +82,14 @@ static int get_dir_index_using_offset(struct super_block *sb, 
			 */

			break;



		size = le32_to_cpu(dir_index.size) + 1;



		/* size should never be larger than SQUASHFS_NAME_LEN */

		if (size > SQUASHFS_NAME_LEN)

			break;



		err = squashfs_read_metadata(sb, NULL, &index_start,

				&index_offset, le32_to_cpu(dir_index.size) + 1);

				&index_offset, size);

		if (err < 0)

			break;