[PATCH v2 4/4] ntfs: add bounds check before accessing EA entries

Next message: Greg KH: "Re: [PATCH v2 2/3] staging: cleanup whitespace of sdio_intf.c"
Previous message: Hyunchul Lee: "[PATCH v2 2/4] ntfs: centalize $INDEX_ROOT header validation"
In reply to: Hyunchul Lee: "[PATCH v2 2/4] ntfs: centalize $INDEX_ROOT header validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hyunchul Lee

Date: Sat May 23 2026 - 00:16:52 EST

in ntfs_ea_lookup and ntfs_listxattr, this verifies that there is enough
space in the EA entry before accessing the next_entry_offset field of
the EA entry.

Signed-off-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
---
fs/ntfs/ea.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fs/ntfs/ea.c b/fs/ntfs/ea.c
index c4a4a3e3e599..0cd192752b7c 100644
--- a/fs/ntfs/ea.c
+++ b/fs/ntfs/ea.c
@@ -53,11 +53,11 @@ static int ntfs_ea_lookup(char *ea_buf, s64 ea_buf_size, const char *name,
loff_t offset, p_ea_size;
unsigned int next;

- if (ea_buf_size < sizeof(struct ea_attr))
- goto out;
-
offset = 0;
do {
+ if (ea_buf_size - offset < sizeof(struct ea_attr))
+ break;
+
p_ea = (const struct ea_attr *)&ea_buf[offset];
next = le32_to_cpu(p_ea->next_entry_offset);
p_ea_size = next ? next : (ea_buf_size - offset);
@@ -479,13 +479,13 @@ ssize_t ntfs_listxattr(struct dentry *dentry, char *buffer, size_t size)
if (ea_info_qsize > ea_buf_size || ea_info_qsize == 0)
goto out;

- if (ea_info_qsize < sizeof(struct ea_attr)) {
- err = -EIO;
- goto out;
- }
-
offset = 0;
do {
+ if (ea_info_qsize - offset < sizeof(struct ea_attr)) {
+ err = -EIO;
+ goto out;
+ }
+
p_ea = (const struct ea_attr *)&ea_buf[offset];
next = le32_to_cpu(p_ea->next_entry_offset);
ea_size = next ? next : (ea_info_qsize - offset);
--
2.43.0