Skip to content

Commit d0fa70a

Browse files
LLfamkleikamp
LLfam
authored and
kleikamp
committed
jfs: don't walk off the end of ealist
Add a check before visiting the members of ea to make sure each ea stays within the ealist. Signed-off-by: lei lu <llfamsec@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
1 parent 7063b80 commit d0fa70a

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

fs/jfs/xattr.c

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -795,7 +795,7 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
795795
size_t buf_size)
796796
{
797797
struct jfs_ea_list *ealist;
798-
struct jfs_ea *ea;
798+
struct jfs_ea *ea, *ealist_end;
799799
struct ea_buffer ea_buf;
800800
int xattr_size;
801801
ssize_t size;
@@ -815,9 +815,16 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
815815
goto not_found;
816816

817817
ealist = (struct jfs_ea_list *) ea_buf.xattr;
818+
ealist_end = END_EALIST(ealist);
818819

819820
/* Find the named attribute */
820-
for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea))
821+
for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) {
822+
if (unlikely(ea + 1 > ealist_end) ||
823+
unlikely(NEXT_EA(ea) > ealist_end)) {
824+
size = -EUCLEAN;
825+
goto release;
826+
}
827+
821828
if ((namelen == ea->namelen) &&
822829
memcmp(name, ea->name, namelen) == 0) {
823830
/* Found it */
@@ -832,6 +839,7 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
832839
memcpy(data, value, size);
833840
goto release;
834841
}
842+
}
835843
not_found:
836844
size = -ENODATA;
837845
release:
@@ -859,7 +867,7 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size)
859867
ssize_t size = 0;
860868
int xattr_size;
861869
struct jfs_ea_list *ealist;
862-
struct jfs_ea *ea;
870+
struct jfs_ea *ea, *ealist_end;
863871
struct ea_buffer ea_buf;
864872

865873
down_read(&JFS_IP(inode)->xattr_sem);
@@ -874,9 +882,16 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size)
874882
goto release;
875883

876884
ealist = (struct jfs_ea_list *) ea_buf.xattr;
885+
ealist_end = END_EALIST(ealist);
877886

878887
/* compute required size of list */
879-
for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) {
888+
for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) {
889+
if (unlikely(ea + 1 > ealist_end) ||
890+
unlikely(NEXT_EA(ea) > ealist_end)) {
891+
size = -EUCLEAN;
892+
goto release;
893+
}
894+
880895
if (can_list(ea))
881896
size += name_size(ea) + 1;
882897
}

0 commit comments

Comments
 (0)