Commit a6a4afa5c41f299404424cc55fa26611751bf38d
Committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
1 parent
1a927faa55
udf: Verify i_size when loading inode
commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream. Verify that inode size is sane when loading inode with data stored in ICB. Otherwise we may get confused later when working with the inode and inode size is too big. Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 14 additions and 0 deletions Side-by-side Diff
fs/udf/inode.c
| ... | ... | @@ -1489,6 +1489,20 @@ |
| 1489 | 1489 | } |
| 1490 | 1490 | inode->i_generation = iinfo->i_unique; |
| 1491 | 1491 | |
| 1492 | + /* Sanity checks for files in ICB so that we don't get confused later */ | |
| 1493 | + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { | |
| 1494 | + /* | |
| 1495 | + * For file in ICB data is stored in allocation descriptor | |
| 1496 | + * so sizes should match | |
| 1497 | + */ | |
| 1498 | + if (iinfo->i_lenAlloc != inode->i_size) | |
| 1499 | + goto out; | |
| 1500 | + /* File in ICB has to fit in there... */ | |
| 1501 | + if (inode->i_size > inode->i_sb->s_blocksize - | |
| 1502 | + udf_file_entry_alloc_offset(inode)) | |
| 1503 | + goto out; | |
| 1504 | + } | |
| 1505 | + | |
| 1492 | 1506 | switch (fe->icbTag.fileType) { |
| 1493 | 1507 | case ICBTAG_FILE_TYPE_DIRECTORY: |
| 1494 | 1508 | inode->i_op = &udf_dir_inode_operations; |