Skip to content

Commit

Permalink
hfsplus: Add additional range check to handle on-disk corruptions
Browse files Browse the repository at this point in the history
'recoff' is read from disk and used for an argument to memcpy, so if
the value read from disk is larger than the page size, it result to
"general protection fault". This patch add additional range check for
the value, so that disk fuzz won't cause such fault.

Signed-off-by: Naohiro Aota <naota@elisp.net>
Signed-off-by: Christoph Hellwig <hch@lst.de>
  • Loading branch information
naota authored and Christoph Hellwig committed Jul 22, 2011
1 parent dd7f3d5 commit aac4e41
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions fs/hfsplus/brec.c
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
node->tree->node_size - (rec + 1) * 2);
if (!recoff)
return 0;
if (recoff > node->tree->node_size - 2) {
printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
return 0;
}

retval = hfs_bnode_read_u16(node, recoff) + 2;
if (retval > node->tree->max_key_len + 2) {
Expand Down

0 comments on commit aac4e41

Please sign in to comment.