Squashfs: sanity check information from disk

We read the size of the name from the disk, but a larger name than
expected would cause memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>

diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 7834a517f7f422cfb9bc35f997e8c69e4e91e52d..f866d42a8b6f3f0d212ab5df95b2a3c2babb0437 100644 (file)
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -79,7 +79,8 @@ static int get_dir_index_using_name(struct super_block *sb,
                        int len)
 {
        struct squashfs_sb_info *msblk = sb->s_fs_info;
-       int i, size, length = 0, err;
+       int i, length = 0, err;
+       unsigned int size;
        struct squashfs_dir_index *index;
        char *str;
 
@@ -103,6 +104,10 @@ static int get_dir_index_using_name(struct super_block *sb,
 
 
                size = le32_to_cpu(index->size) + 1;
+               if (size > SQUASHFS_NAME_LEN) {
+                       err = -EINVAL;
+                       break;
+               }
 
                err = squashfs_read_metadata(sb, index->name, &index_start,
                                        &index_offset, size);