Re: [PATCH v5] hfsplus: fix uninit-value by validating catalog record size

Next message: Linus Walleij: "Re: [PATCH v2 3/4] iio: gyro: mpu3050: Move iio_device_register() to correct location"
Previous message: Stefano Garzarella: "Re: [PATCH net] vsock: Use container_of() to get net namespace in sysctl handlers"
Next in thread: Viacheslav Dubeyko: "RE: [PATCH v5] hfsplus: fix uninit-value by validating catalog record size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Charalampos Mitrodimas

Date: Tue Feb 24 2026 - 04:56:47 EST

Deepanshu Kartikey <kartikey406@xxxxxxxxx> writes:

> On Tue, Feb 24, 2026 at 12:28 AM Viacheslav Dubeyko
> <Slava.Dubeyko@xxxxxxx> wrote:
>>
>
>> > + case HFSPLUS_FILE_THREAD:
>> > + /* Ensure we have at least the fixed fields before reading nodeName.length */
>> > + if (fd->entrylength < offsetof(struct hfsplus_cat_thread, nodeName) +
>> > + offsetof(struct hfsplus_unistr, unicode)) {
>> > + pr_err("thread record too short (got %u)\n", fd->entrylength);
>> > + return -EIO;
>> > + }
>
> The check is in the HFSPLUS_FOLDER_THREAD/HFSPLUS_FILE_THREAD case in
> hfsplus_brec_read_cat() function (fs/hfsplus/bfind.c):
>
> This validates that we have at least the minimum bytes needed before
> calling hfsplus_cat_thread_size() which reads nodeName.length.

Hi,

So... yes, while this is essentially what I recommended, just checking
entrylength against HFSPLUS_MIN_THREAD_SZ will yield the same results,
because:

HFSPLUS_MIN_THREAD_SZ is already defined 10, the same value as the
offsetof chain. hfsplus_readdir() already uses it for the same
guard. It's shorter, consistent with other places and the intent is
immediately clear (easier to read).

Cheers,
C. Mitrodimas