https://bugzilla.kernel.org/show_bug.cgi?id=199185 --- Comment #3 from Theodore Tso (tytso@xxxxxxx) --- Thank you for the bug report. The following should address the issue you reported: commit de57a63ea4389e39b1cdd1cef15e1ec9b58a964c Author: Theodore Ts'o <tytso@xxxxxxx> Date: Sun Mar 25 02:58:44 2018 -0400 ext4: add better range checking for e_value_size in xattrs https://bugzilla.kernel.org/show_bug.cgi?id=199185 Reported-by: Wen Xu <wen.xu@xxxxxxxxxx> Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> Cc: stable@xxxxxxxxxxxxxxx diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 63656dbafdc4..7604d750d234 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -523,10 +523,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (size < 0 || size > buffer_size) + goto cleanup; if (buffer) { - error = -ERANGE; - if (size > buffer_size) - goto cleanup; if (entry->e_value_inum) { error = ext4_xattr_inode_get(inode, entry, buffer, size); @@ -572,10 +572,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (size < 0 || size > buffer_size) + goto cleanup; if (buffer) { - error = -ERANGE; - if (size > buffer_size) - goto cleanup; if (entry->e_value_inum) { error = ext4_xattr_inode_get(inode, entry, buffer, size); -- You are receiving this mail because: You are watching the assignee of the bug.
