fs/ntfs3: Restore overflow checking for attr size in mi_enum_attr (30200ef8) · Commits · EulixOS / Software / Kernel

fs/ntfs3/index.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -994,7 +994,7 @@ struct INDEX_ROOT indx_get_root(struct ntfs_index indx, struct ntfs_inode *ni,
		struct ATTR_LIST_ENTRY *le = NULL;
		struct ATTRIB *a;
		const struct INDEX_NAMES *in = &s_index_names[indx->type];
		struct INDEX_ROOT *root = NULL;
		struct INDEX_ROOT *root;

		a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, NULL,
		mi);
		@@ -1007,7 +1007,8 @@ struct INDEX_ROOT indx_get_root(struct ntfs_index indx, struct ntfs_inode *ni,
		root = resident_data_ex(a, sizeof(struct INDEX_ROOT));

		/* length check */
		if (root && offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) >
		if (root &&
		offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) >
		le32_to_cpu(a->res.data_size)) {
		return NULL;
		}

+5 −0

Original line number	Diff line number	Diff line
		@@ -220,6 +220,11 @@ struct ATTRIB mi_enum_attr(struct mft_inode mi, struct ATTRIB *attr)
		return NULL;
		}

		if (off + asize < off) {
		/* Overflow check. */
		return NULL;
		}

		attr = Add2Ptr(attr, asize);
		off += asize;
		}

+1 −1

Original line number	Diff line number	Diff line
		@@ -1187,7 +1187,7 @@ static int ntfs_fill_super(struct super_block sb, struct fs_context fc)

		/*
		* Typical $AttrDef contains up to 20 entries.
		* Check for extremely large size.
		* Check for extremely large/small size.
		*/
		if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY) \|\|
		inode->i_size > 100 * sizeof(struct ATTR_DEF_ENTRY)) {