Added out-of-bound checking for *dp0 (DIR_PAGE_ENTRY_32).
Signed-off-by: lei lu <llfamsec@xxxxxxxxx>
---
fs/ntfs3/fslog.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c
index 855519713bf7..af6f2ce9ea68 100644
--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -4184,10 +4184,14 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
dp = NULL;
while ((dp = enum_rstbl(dptbl, dp))) {
struct DIR_PAGE_ENTRY_32 *dp0 = (struct DIR_PAGE_ENTRY_32 *)dp;
- // NOTE: Danger. Check for of boundary.
- memmove(&dp->vcn, &dp0->vcn_low,
- 2 * sizeof(u64) +
- le32_to_cpu(dp->lcns_follow) * sizeof(u64));
+ // Check for of boundary.
+ u32 len = 2 * sizeof(u64) +
+ le32_to_cpu(dp->lcns_follow) * sizeof(u64);
+ if (PtrOffset(dptbl, &dp0->vcn_low) + len > t32) {
+ err = -EINVAL;
+ goto out;
+ }
+ memmove(&dp->vcn, &dp0->vcn_low, len);
}
end_conv_1:
--
2.34.1
