btrfs: Check name_len with boundary in verify dir_item

author Su Yue <suy.fnst@cn.fujitsu.com>

Tue, 6 Jun 2017 09:57:01 +0000 (17:57 +0800)

committer David Sterba <dsterba@suse.com>

Wed, 21 Jun 2017 17:16:04 +0000 (19:16 +0200)
author Su Yue <suy.fnst@cn.fujitsu.com>
Tue, 6 Jun 2017 09:57:01 +0000 (17:57 +0800)
committer David Sterba <dsterba@suse.com>
Wed, 21 Jun 2017 17:16:04 +0000 (19:16 +0200)
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h

index d182ce792173134b91e5e311a681a72249397fb0..5e33e1d6d5c93b5700df62863ff2725a70a40339 100644 (file)
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -3036,7 +3036,7 @@ struct btrfs_dir_item *btrfs_lookup_xattr(struct btrfs_trans_handle *trans,
                                           const char *name, u16 name_len,
                                           int mod);
  int verify_dir_item(struct btrfs_fs_info *fs_info,
-                   struct extent_buffer *leaf,
+                   struct extent_buffer *leaf, int slot,
                     struct btrfs_dir_item *dir_item);
  struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
                                                  struct btrfs_path *path,
diff --git a/fs/btrfs/dir-item.c b/fs/btrfs/dir-item.c

index 5b6c6fb7c80080c5447264fc013b3970e24ac37f..d9c4a3dd071e2d8d93c191f076e72ceadfa99659 100644 (file)
--- a/fs/btrfs/dir-item.c
+++ b/fs/btrfs/dir-item.c
@@ -395,7 +395,7 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
  
         leaf = path->nodes[0];
         dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
-       if (verify_dir_item(fs_info, leaf, dir_item))
+       if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
                 return NULL;
  
         total_len = btrfs_item_size_nr(leaf, path->slots[0]);
@@ -453,9 +453,11 @@ int btrfs_delete_one_dir_name(struct btrfs_trans_handle *trans,
  
  int verify_dir_item(struct btrfs_fs_info *fs_info,
                     struct extent_buffer *leaf,
+                   int slot,
                     struct btrfs_dir_item *dir_item)
  {
         u16 namelen = BTRFS_NAME_LEN;
+       int ret;
         u8 type = btrfs_dir_type(leaf, dir_item);
  
         if (type >= BTRFS_FT_MAX) {
@@ -472,6 +474,12 @@ int verify_dir_item(struct btrfs_fs_info *fs_info,
                 return 1;
         }
  
+       namelen = btrfs_dir_name_len(leaf, dir_item);
+       ret = btrfs_is_name_len_valid(leaf, slot,
+                                     (unsigned long)(dir_item + 1), namelen);
+       if (!ret)
+               return 1;
+
         /* BTRFS_MAX_XATTR_SIZE is the same for all dir items */
         if ((btrfs_dir_data_len(leaf, dir_item) +
              btrfs_dir_name_len(leaf, dir_item)) >
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c

index e837713d0d050f9187338cd4430386061d1725ac..86cac431864be77f31e6feb85efb295f77005e7f 100644 (file)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -5934,7 +5934,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
                 ctx->pos = found_key.offset;
  
                 di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
-               if (verify_dir_item(fs_info, leaf, di))
+               if (verify_dir_item(fs_info, leaf, slot, di))
                         goto next;
  
                 name_len = btrfs_dir_name_len(leaf, di);
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c

index ccfe9fe7754a8d4d80fd3e5b1f0a1d2f2118e4e6..1930f28edcdde4572ec998f7aa4f13bd026aeea7 100644 (file)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1841,7 +1841,7 @@ static noinline int replay_one_dir_item(struct btrfs_trans_handle *trans,
         ptr_end = ptr + item_size;
         while (ptr < ptr_end) {
                 di = (struct btrfs_dir_item *)ptr;
-               if (verify_dir_item(fs_info, eb, di))
+               if (verify_dir_item(fs_info, eb, slot, di))
                         return -EIO;
                 name_len = btrfs_dir_name_len(eb, di);
                 ret = replay_one_name(trans, root, path, eb, di, key);
@@ -2017,7 +2017,7 @@ again:
         ptr_end = ptr + item_size;
         while (ptr < ptr_end) {
                 di = (struct btrfs_dir_item *)ptr;
-               if (verify_dir_item(fs_info, eb, di)) {
+               if (verify_dir_item(fs_info, eb, slot, di)) {
                         ret = -EIO;
                         goto out;
                 }
diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c

index b3cbf80c5acfa2ebe0541f14d60278f477664908..2c7e53f9ff1b9d3d3c80d6ae5f8b6fcc9e83ec6f 100644 (file)
--- a/fs/btrfs/xattr.c
+++ b/fs/btrfs/xattr.c
@@ -336,7 +336,7 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size)
                         u32 this_len = sizeof(*di) + name_len + data_len;
                         unsigned long name_ptr = (unsigned long)(di + 1);
  
-                       if (verify_dir_item(fs_info, leaf, di)) {
+                       if (verify_dir_item(fs_info, leaf, slot, di)) {
                                 ret = -EIO;
                                 goto err;
                         }
author	Su Yue <suy.fnst@cn.fujitsu.com>
	Tue, 6 Jun 2017 09:57:01 +0000 (17:57 +0800)
committer	David Sterba <dsterba@suse.com>
	Wed, 21 Jun 2017 17:16:04 +0000 (19:16 +0200)
fs/btrfs/ctree.h		patch \| blob \| history
fs/btrfs/dir-item.c		patch \| blob \| history
fs/btrfs/inode.c		patch \| blob \| history
fs/btrfs/tree-log.c		patch \| blob \| history
fs/btrfs/xattr.c		patch \| blob \| history