Squashfs: add corruption check for type in squashfs_readdir()
We read the type field from disk. This value should be sanity checked for correctness to avoid an out of bounds access when reading the squashfs_filetype_table array. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
This commit is contained in:
parent
f960cae535
commit
9e01242386
|
@ -112,8 +112,8 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx)
|
|||
struct inode *inode = file_inode(file);
|
||||
struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
|
||||
u64 block = squashfs_i(inode)->start + msblk->directory_table;
|
||||
int offset = squashfs_i(inode)->offset, length, type, err;
|
||||
unsigned int inode_number, dir_count, size;
|
||||
int offset = squashfs_i(inode)->offset, length, err;
|
||||
unsigned int inode_number, dir_count, size, type;
|
||||
struct squashfs_dir_header dirh;
|
||||
struct squashfs_dir_entry *dire;
|
||||
|
||||
|
@ -206,6 +206,9 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx)
|
|||
((short) le16_to_cpu(dire->inode_number));
|
||||
type = le16_to_cpu(dire->type);
|
||||
|
||||
if (type > SQUASHFS_MAX_DIR_TYPE)
|
||||
goto failed_read;
|
||||
|
||||
if (!dir_emit(ctx, dire->name, size,
|
||||
inode_number,
|
||||
squashfs_filetype_table[type]))
|
||||
|
|
|
@ -87,7 +87,7 @@
|
|||
#define SQUASHFS_COMP_OPTS(flags) SQUASHFS_BIT(flags, \
|
||||
SQUASHFS_COMP_OPT)
|
||||
|
||||
/* Max number of types and file types */
|
||||
/* Inode types including extended types */
|
||||
#define SQUASHFS_DIR_TYPE 1
|
||||
#define SQUASHFS_REG_TYPE 2
|
||||
#define SQUASHFS_SYMLINK_TYPE 3
|
||||
|
@ -103,6 +103,9 @@
|
|||
#define SQUASHFS_LFIFO_TYPE 13
|
||||
#define SQUASHFS_LSOCKET_TYPE 14
|
||||
|
||||
/* Max type value stored in directory entry */
|
||||
#define SQUASHFS_MAX_DIR_TYPE 7
|
||||
|
||||
/* Xattr types */
|
||||
#define SQUASHFS_XATTR_USER 0
|
||||
#define SQUASHFS_XATTR_TRUSTED 1
|
||||
|
|
Loading…
Reference in New Issue