aboutsummaryrefslogtreecommitdiff
path: root/fs/udf/inode.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/udf/inode.c')
-rw-r--r--fs/udf/inode.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 287cd5f23421..142d29e3ccdf 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
}
+ /*
+ * Sanity check length of allocation descriptors and extended attrs to
+ * avoid integer overflows
+ */
+ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
+ || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+ make_bad_inode(inode);
+ return;
+ }
+ /* Now do exact checks */
+ if (udf_file_entry_alloc_offset(inode)
+ + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+ make_bad_inode(inode);
+ return;
+ }
+
switch (fe->icbTag.fileType) {
case ICBTAG_FILE_TYPE_DIRECTORY:
inode->i_op = &udf_dir_inode_operations;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-18 18:04:00 +0000