Perform a little more sanity checking of EA value offsets so that we don't crash while trying to load things from the filesystem. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> --- lib/ext2fs/ext2_err.et.in | 3 +++ lib/ext2fs/ext_attr.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/lib/ext2fs/ext2_err.et.in b/lib/ext2fs/ext2_err.et.in index 2194a18..6b6d8b8 100644 --- a/lib/ext2fs/ext2_err.et.in +++ b/lib/ext2fs/ext2_err.et.in @@ -518,4 +518,7 @@ ec EXT2_ET_MAGIC_EA_HANDLE, ec EXT2_ET_INODE_IS_GARBAGE, "Inode seems to contain garbage" +ec EXT2_ET_EA_BAD_VALUE_OFFSET, + "Extended attribute has an invalid value offset" + end diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c index f3fba96..96530f8 100644 --- a/lib/ext2fs/ext_attr.c +++ b/lib/ext2fs/ext_attr.c @@ -624,6 +624,8 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, void *ptr; unsigned int remain, prefix_len; errcode_t err; + unsigned int values_size = storage_size + + ((char *)entries - (char *)value_start); x = handle->attrs; while (x->name) @@ -648,6 +650,9 @@ static errcode_t read_xattrs_from_buffer(struct ext2_xattr_handle *handle, if (entry->e_value_size > remain) return EXT2_ET_EA_BAD_VALUE_SIZE; + if (entry->e_value_offs + entry->e_value_size > values_size) + return EXT2_ET_EA_BAD_VALUE_OFFSET; + /* e_value_block must be 0 in inode's ea */ if (entry->e_value_block != 0) return EXT2_ET_BAD_EA_BLOCK_NUM; -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
