tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork

Configure Feed

Select the types of activity you want to include in your feed.

jfs: don't walk off the end of ealist

Add a check before visiting the members of ea to
make sure each ea stays within the ealist.

Signed-off-by: lei lu <llfamsec@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>

authored by

lei lu and committed by
Dave Kleikamp d0fa70ac 7063b802

+19 -4
+19 -4
fs/jfs/xattr.c
··· 795 795 size_t buf_size) 796 796 { 797 797 struct jfs_ea_list *ealist; 798 - struct jfs_ea *ea; 798 + struct jfs_ea *ea, *ealist_end; 799 799 struct ea_buffer ea_buf; 800 800 int xattr_size; 801 801 ssize_t size; ··· 815 815 goto not_found; 816 816 817 817 ealist = (struct jfs_ea_list *) ea_buf.xattr; 818 + ealist_end = END_EALIST(ealist); 818 819 819 820 /* Find the named attribute */ 820 - for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) 821 + for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { 822 + if (unlikely(ea + 1 > ealist_end) || 823 + unlikely(NEXT_EA(ea) > ealist_end)) { 824 + size = -EUCLEAN; 825 + goto release; 826 + } 827 + 821 828 if ((namelen == ea->namelen) && 822 829 memcmp(name, ea->name, namelen) == 0) { 823 830 /* Found it */ ··· 839 832 memcpy(data, value, size); 840 833 goto release; 841 834 } 835 + } 842 836 not_found: 843 837 size = -ENODATA; 844 838 release: ··· 867 859 ssize_t size = 0; 868 860 int xattr_size; 869 861 struct jfs_ea_list *ealist; 870 - struct jfs_ea *ea; 862 + struct jfs_ea *ea, *ealist_end; 871 863 struct ea_buffer ea_buf; 872 864 873 865 down_read(&JFS_IP(inode)->xattr_sem); ··· 882 874 goto release; 883 875 884 876 ealist = (struct jfs_ea_list *) ea_buf.xattr; 877 + ealist_end = END_EALIST(ealist); 885 878 886 879 /* compute required size of list */ 887 - for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) { 880 + for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { 881 + if (unlikely(ea + 1 > ealist_end) || 882 + unlikely(NEXT_EA(ea) > ealist_end)) { 883 + size = -EUCLEAN; 884 + goto release; 885 + } 886 + 888 887 if (can_list(ea)) 889 888 size += name_size(ea) + 1; 890 889 }