btrfs: add more checks to btrfs_read_sys_array
Verify that the sys_array has enough bytes to read the next item. Signed-off-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com>
This commit is contained in:
parent
1ffb22cf8c
commit
e3540eab29
|
@ -6296,20 +6296,34 @@ int btrfs_read_sys_array(struct btrfs_root *root)
|
||||||
|
|
||||||
while (cur_offset < array_size) {
|
while (cur_offset < array_size) {
|
||||||
disk_key = (struct btrfs_disk_key *)array_ptr;
|
disk_key = (struct btrfs_disk_key *)array_ptr;
|
||||||
|
len = sizeof(*disk_key);
|
||||||
|
if (cur_offset + len > array_size)
|
||||||
|
goto out_short_read;
|
||||||
|
|
||||||
btrfs_disk_key_to_cpu(&key, disk_key);
|
btrfs_disk_key_to_cpu(&key, disk_key);
|
||||||
|
|
||||||
len = sizeof(*disk_key);
|
|
||||||
array_ptr += len;
|
array_ptr += len;
|
||||||
sb_array_offset += len;
|
sb_array_offset += len;
|
||||||
cur_offset += len;
|
cur_offset += len;
|
||||||
|
|
||||||
if (key.type == BTRFS_CHUNK_ITEM_KEY) {
|
if (key.type == BTRFS_CHUNK_ITEM_KEY) {
|
||||||
chunk = (struct btrfs_chunk *)sb_array_offset;
|
chunk = (struct btrfs_chunk *)sb_array_offset;
|
||||||
|
/*
|
||||||
|
* At least one btrfs_chunk with one stripe must be
|
||||||
|
* present, exact stripe count check comes afterwards
|
||||||
|
*/
|
||||||
|
len = btrfs_chunk_item_size(1);
|
||||||
|
if (cur_offset + len > array_size)
|
||||||
|
goto out_short_read;
|
||||||
|
|
||||||
|
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
|
||||||
|
len = btrfs_chunk_item_size(num_stripes);
|
||||||
|
if (cur_offset + len > array_size)
|
||||||
|
goto out_short_read;
|
||||||
|
|
||||||
ret = read_one_chunk(root, &key, sb, chunk);
|
ret = read_one_chunk(root, &key, sb, chunk);
|
||||||
if (ret)
|
if (ret)
|
||||||
break;
|
break;
|
||||||
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
|
|
||||||
len = btrfs_chunk_item_size(num_stripes);
|
|
||||||
} else {
|
} else {
|
||||||
ret = -EIO;
|
ret = -EIO;
|
||||||
break;
|
break;
|
||||||
|
@ -6320,6 +6334,12 @@ int btrfs_read_sys_array(struct btrfs_root *root)
|
||||||
}
|
}
|
||||||
free_extent_buffer(sb);
|
free_extent_buffer(sb);
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
out_short_read:
|
||||||
|
printk(KERN_ERR "BTRFS: sys_array too short to read %u bytes at offset %u\n",
|
||||||
|
len, cur_offset);
|
||||||
|
free_extent_buffer(sb);
|
||||||
|
return -EIO;
|
||||||
}
|
}
|
||||||
|
|
||||||
int btrfs_read_chunk_tree(struct btrfs_root *root)
|
int btrfs_read_chunk_tree(struct btrfs_root *root)
|
||||||
|
|
Loading…
Reference in New Issue