ext4: validate directory entry data before use
ext4_dx_find_entry uses ext4_next_entry without verifying that the entry is valid. If its rec_len == 0 this causes an infinite loop. Refactor the loop to check the validity of entries before checking whether they match and moving onto the next one. There are other uses of ext4_next_entry in this file which also look problematic. They should be reviewed and fixed if/when we have a test-case that triggers them. This patch fixes the first case (image hdb.25.softlockup.gz) reported in http://bugzilla.kernel.org/show_bug.cgi?id=10882. Signed-off-by: Duane Griffin <duaneg@dghda.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
This commit is contained in:
Duane Griffin
Theodore Ts'o
parent
71dc8fbcf5
commit
f3b35f063e
|
|
@ -993,19 +993,21 @@ static struct buffer_head * ext4_dx_find_entry(struct dentry *dentry,
|
|||
de = (struct ext4_dir_entry_2 *) bh->b_data;
|
||||
top = (struct ext4_dir_entry_2 *) ((char *) de + sb->s_blocksize -
|
||||
EXT4_DIR_REC_LEN(0));
|
||||
for (; de < top; de = ext4_next_entry(de))
|
||||
if (ext4_match (namelen, name, de)) {
|
||||
if (!ext4_check_dir_entry("ext4_find_entry",
|
||||
dir, de, bh,
|
||||
(block<<EXT4_BLOCK_SIZE_BITS(sb))
|
||||
+((char *)de - bh->b_data))) {
|
||||
brelse (bh);
|
||||
for (; de < top; de = ext4_next_entry(de)) {
|
||||
int off = (block << EXT4_BLOCK_SIZE_BITS(sb))
|
||||
+ ((char *) de - bh->b_data);
|
||||
|
||||
if (!ext4_check_dir_entry(__func__, dir, de, bh, off)) {
|
||||
brelse(bh);
|
||||
*err = ERR_BAD_DX_DIR;
|
||||
goto errout;
|
||||
}
|
||||
*res_dir = de;
|
||||
dx_release (frames);
|
||||
return bh;
|
||||
|
||||
if (ext4_match(namelen, name, de)) {
|
||||
*res_dir = de;
|
||||
dx_release(frames);
|
||||
return bh;
|
||||
}
|
||||
}
|
||||
brelse (bh);
|
||||
/* Check to see if we should continue to search */
|
||||
|
|
|
|||
Reference in New Issue