[PATCH v2] hfsplus: Add additional range check to handle on-disk corruptions
From: Naohiro Aota
Date: Sun Jul 17 2011 - 18:09:12 EST
Christoph Hellwig <hch@xxxxxxxxxxxxx> writes:
>>
>> diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
>> index 2312de3..5c51d04 100644
>> --- a/fs/hfsplus/brec.c
>> +++ b/fs/hfsplus/brec.c
>> @@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
>> node->tree->node_size - (rec + 1) * 2);
>> if (!recoff)
>> return 0;
>> + if (recoff >= node->tree->node_size) {
>> + printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
>> + return 0;
>> + }
>
> As non-obvious as it sounds 0 is indded the canonical error return from
> hfs_brec_keylen, so that patch looks good to me. Can you resend it
> with a better title and description mentioning better validatation of
> the on-disk structures?
I've revised the patch and description.
Change from v1:
Change the check from "recoff >= node->tree->node_size" to "recoff >
node->tree->node_size - 2": Check not only the first byte but also the
last byte to be read is in to be read is in node range.