diff options
author | David Sterba <dsterba@suse.cz> | 2014-11-05 15:24:51 +0100 |
---|---|---|
committer | Chris Mason <clm@fb.com> | 2015-02-02 19:24:39 -0800 |
commit | e3540eab29e1b2260bc4b9b3979a49a00e3e3af8 (patch) | |
tree | db22ad2525c71e04922ca49b92416dd92687f7ea /fs/btrfs | |
parent | 1ffb22cf8c322bbfea6b35fe23d025841b49fede (diff) | |
download | linux-e3540eab29e1b2260bc4b9b3979a49a00e3e3af8.tar.bz2 |
btrfs: add more checks to btrfs_read_sys_array
Verify that the sys_array has enough bytes to read the next item.
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs/btrfs')
-rw-r--r-- | fs/btrfs/volumes.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index b33c83be2a97..2c4cab2dbd1a 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6296,20 +6296,34 @@ int btrfs_read_sys_array(struct btrfs_root *root) while (cur_offset < array_size) { disk_key = (struct btrfs_disk_key *)array_ptr; + len = sizeof(*disk_key); + if (cur_offset + len > array_size) + goto out_short_read; + btrfs_disk_key_to_cpu(&key, disk_key); - len = sizeof(*disk_key); array_ptr += len; sb_array_offset += len; cur_offset += len; if (key.type == BTRFS_CHUNK_ITEM_KEY) { chunk = (struct btrfs_chunk *)sb_array_offset; + /* + * At least one btrfs_chunk with one stripe must be + * present, exact stripe count check comes afterwards + */ + len = btrfs_chunk_item_size(1); + if (cur_offset + len > array_size) + goto out_short_read; + + num_stripes = btrfs_chunk_num_stripes(sb, chunk); + len = btrfs_chunk_item_size(num_stripes); + if (cur_offset + len > array_size) + goto out_short_read; + ret = read_one_chunk(root, &key, sb, chunk); if (ret) break; - num_stripes = btrfs_chunk_num_stripes(sb, chunk); - len = btrfs_chunk_item_size(num_stripes); } else { ret = -EIO; break; @@ -6320,6 +6334,12 @@ int btrfs_read_sys_array(struct btrfs_root *root) } free_extent_buffer(sb); return ret; + +out_short_read: + printk(KERN_ERR "BTRFS: sys_array too short to read %u bytes at offset %u\n", + len, cur_offset); + free_extent_buffer(sb); + return -EIO; } int btrfs_read_chunk_tree(struct btrfs_root *root) |