hfsplus: Add additional range check to handle on-disk corruptions

'recoff' is read from disk and used for an argument to memcpy, so if the value read from disk is larger than the page size, it result to "general protection fault". This patch add additional range check for the value, so that disk fuzz won't cause such fault. Signed-off-by: Naohiro Aota <naota@elisp.net> Signed-off-by: Christoph Hellwig <hch@lst.de>
author: Naohiro Aota <naota@elisp.net> 2011-07-11 17:54:13 (GMT)
committer: Christoph Hellwig <hch@lst.de> 2011-07-22 14:36:56 (GMT)
commit: aac4e4198eff7f9551d586c55342403d49249d95 (patch)
tree: 9fadb2150044176f1585133d0cf2711c737ddd99
parent: dd7f3d5458e5c0eded620fe8192abe7e418fc94c (diff)
download: linux-aac4e4198eff7f9551d586c55342403d49249d95.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 2312de3..2a734cf 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
 			node->tree->node_size - (rec + 1) * 2);
 		if (!recoff)
 			return 0;
+		if (recoff > node->tree->node_size - 2) {
+			printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
+			return 0;
+		}
 
 		retval = hfs_bnode_read_u16(node, recoff) + 2;
 		if (retval > node->tree->max_key_len + 2) {
author	Naohiro Aota <naota@elisp.net>	2011-07-11 17:54:13 (GMT)
committer	Christoph Hellwig <hch@lst.de>	2011-07-22 14:36:56 (GMT)
commit	aac4e4198eff7f9551d586c55342403d49249d95 (patch)
tree	9fadb2150044176f1585133d0cf2711c737ddd99
parent	dd7f3d5458e5c0eded620fe8192abe7e418fc94c (diff)
download	linux-aac4e4198eff7f9551d586c55342403d49249d95.tar.xz