The boundary test for the fixed-offset parts of xfs_attr_sf_entry
in xfs_attr_shortform_verify is off by one. endp is the address
just past the end of the valid data; to check the last byte of
a structure at offset of size "size" we must subtract one.
(i.e. for an object at offset 10, size 4, last byte is 13 not 14).
This can be shown by:
# touch file
# setfattr -n root.a file
and subsequent verifications will fail when it's reread from disk.
This only matters for a last attribute which has a single-byte name
and no value, otherwise the combination of namelen & valuelen will
push endp out and this test won't fail.
Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
---
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 8623c815164a..a0cf22f0c904 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1037,7 +1037,7 @@ xfs_attr_shortform_verify(
* Check the fixed-offset parts of the structure are
* within the data buffer.
*/
- if (((char *)sfep + sizeof(*sfep)) >= endp)
+ if (((char *)sfep + sizeof(*sfep)-1) >= endp)
return __this_address;
/* Don't allow names with known bad length. */
