Re: [PATCH v2] staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chao,

On 2019/2/18 9:39, Chao Yu wrote:
> If the image is corrupted, qn->name[i] may be anything, as you commented
> above DBG_BUGON(), we really don't need to go through any later codes, it
> can avoid potentially encoutnering wrong condition.
> 
> * otherwise, it will return 1 to just skip the invalid name
> 

Just I commented in the following source code, qn is actually the user requested
name allocated in __d_alloc, which can be guaranteed with the trailing '\0' and
it is a valid string.

Thanks,
Gao Xiang

>>>> +
>>>> +	/* qd could not have trailing '\0' */
>>>> +	/* However it is absolutely safe if < qd->end */
>>>> +	while (qd->name + i < qd->end && qd->name[i] != '\0') {
>>>> +		if (qn->name[i] != qd->name[i]) {
>>>> +			*matched = i;
>>>> +			return qn->name[i] > qd->name[i] ? 1 : -1;
>>>>  		}
>>>> -		return (qn->len > qd->len);
>>>> +		++i;
>>>>  	}
>>>> -
>>>> -	if (qn->name[i] != qd->name[i]) {
>>>> -		*matched = i;
>>>> -		return qn->name[i] > qd->name[i] ? 1 : -1;
>>>> -	}
>>>> -
>>>> -	++i;
>>>> -	goto loop;
>>>> +	*matched = i;
>>>> +	/* See comments in __d_alloc on the terminating NUL character */
>>>> +	return qn->name[i] == '\0' ? 0 : 1;
>>>>  }



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux