mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
dlm: validate data in dlm_recover_directory()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>
This commit is contained in:
parent
02ed16b64d
commit
cd9df1aac3
1 changed files with 20 additions and 3 deletions
23
fs/dlm/dir.c
23
fs/dlm/dir.c
|
@ -220,6 +220,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
|
||||||
last_len = 0;
|
last_len = 0;
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
int left;
|
||||||
error = dlm_recovery_stopped(ls);
|
error = dlm_recovery_stopped(ls);
|
||||||
if (error)
|
if (error)
|
||||||
goto out_free;
|
goto out_free;
|
||||||
|
@ -236,11 +237,20 @@ int dlm_recover_directory(struct dlm_ls *ls)
|
||||||
*/
|
*/
|
||||||
|
|
||||||
b = ls->ls_recover_buf->rc_buf;
|
b = ls->ls_recover_buf->rc_buf;
|
||||||
|
left = ls->ls_recover_buf->rc_header.h_length;
|
||||||
|
left -= sizeof(struct dlm_rcom);
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
memcpy(&namelen, b, sizeof(uint16_t));
|
__be16 v;
|
||||||
namelen = be16_to_cpu(namelen);
|
|
||||||
b += sizeof(uint16_t);
|
error = -EINVAL;
|
||||||
|
if (left < sizeof(__be16))
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
|
memcpy(&v, b, sizeof(__be16));
|
||||||
|
namelen = be16_to_cpu(v);
|
||||||
|
b += sizeof(__be16);
|
||||||
|
left -= sizeof(__be16);
|
||||||
|
|
||||||
/* namelen of 0xFFFFF marks end of names for
|
/* namelen of 0xFFFFF marks end of names for
|
||||||
this node; namelen of 0 marks end of the
|
this node; namelen of 0 marks end of the
|
||||||
|
@ -251,6 +261,12 @@ int dlm_recover_directory(struct dlm_ls *ls)
|
||||||
if (!namelen)
|
if (!namelen)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
if (namelen > left)
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
|
if (namelen > DLM_RESNAME_MAXLEN)
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
error = -ENOMEM;
|
error = -ENOMEM;
|
||||||
de = get_free_de(ls, namelen);
|
de = get_free_de(ls, namelen);
|
||||||
if (!de)
|
if (!de)
|
||||||
|
@ -262,6 +278,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
|
||||||
memcpy(de->name, b, namelen);
|
memcpy(de->name, b, namelen);
|
||||||
memcpy(last_name, b, namelen);
|
memcpy(last_name, b, namelen);
|
||||||
b += namelen;
|
b += namelen;
|
||||||
|
left -= namelen;
|
||||||
|
|
||||||
add_entry_to_hash(ls, de);
|
add_entry_to_hash(ls, de);
|
||||||
count++;
|
count++;
|
||||||
|
|
Loading…
Reference in a new issue