---

yaml --- r: 252084 b: refs/heads/master c: 1cac63c h: refs/heads/master v: v3
git-mirror · May 25, 2011 · 6c015f6 · 6c015f6
1 parent 3816168
commit 6c015f6
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 5 deletions.
diff --git a/[refs] b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: ac51a0a7139aa93bf1176b701c86fa3d2bdf6106
+refs/heads/master: 1cac63cc9b2ff0d16ab2d16232b1a6ee8676a47b
diff --git a/trunk/fs/squashfs/fragment.c b/trunk/fs/squashfs/fragment.c
@@ -71,9 +71,29 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment,
  * Read the uncompressed fragment lookup table indexes off disk into memory
  */
 __le64 *squashfs_read_fragment_index_table(struct super_block *sb,
-	u64 fragment_table_start, unsigned int fragments)
+	u64 fragment_table_start, u64 next_table, unsigned int fragments)
 {
 	unsigned int length = SQUASHFS_FRAGMENT_INDEX_BYTES(fragments);
+	__le64 *table;
 
-	return squashfs_read_table(sb, fragment_table_start, length);
+	/*
+	 * Sanity check, length bytes should not extend into the next table -
+	 * this check also traps instances where fragment_table_start is
+	 * incorrectly larger than the next table start
+	 */
+	if (fragment_table_start + length > next_table)
+		return ERR_PTR(-EINVAL);
+
+	table = squashfs_read_table(sb, fragment_table_start, length);
+
+	/*
+	 * table[0] points to the first fragment table metadata block, this
+	 * should be less than fragment_table_start
+	 */
+	if (!IS_ERR(table) && table[0] >= fragment_table_start) {
+		kfree(table);
+		return ERR_PTR(-EINVAL);
+	}
+
+	return table;
 }
diff --git a/trunk/fs/squashfs/squashfs.h b/trunk/fs/squashfs/squashfs.h
@@ -57,7 +57,7 @@ extern __le64 *squashfs_read_inode_lookup_table(struct super_block *, u64, u64,
 /* fragment.c */
 extern int squashfs_frag_lookup(struct super_block *, unsigned int, u64 *);
 extern __le64 *squashfs_read_fragment_index_table(struct super_block *,
-				u64, unsigned int);
+				u64, u64, unsigned int);
 
 /* id.c */
 extern int squashfs_get_id(struct super_block *, unsigned int, unsigned int *);

diff --git a/trunk/fs/squashfs/super.c b/trunk/fs/squashfs/super.c
@@ -261,6 +261,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
 		msblk->inode_lookup_table = NULL;
 		goto failed_mount;
 	}
+	next_table = msblk->inode_lookup_table[0];
 
 	sb->s_export_op = &squashfs_export_ops;
 
@@ -278,7 +279,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
 
 	/* Allocate and read fragment index table */
 	msblk->fragment_index = squashfs_read_fragment_index_table(sb,
-		le64_to_cpu(sblk->fragment_table_start), fragments);
+		le64_to_cpu(sblk->fragment_table_start), next_table, fragments);
 	if (IS_ERR(msblk->fragment_index)) {
 		ERROR("unable to read fragment index table\n");
 		err = PTR_ERR(msblk->fragment_index);