btrfs: Verify dir_item in replay_xattr_deletes
replay_xattr_deletes calls btrfs_search_slot to get buffer and reads name. Call verify_dir_item to check name_len in replay_xattr_deletes to avoid reading out of boundary. Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
parent
26a836cec2
commit
8ee8c2d62d
|
@ -2111,6 +2111,7 @@ static int replay_xattr_deletes(struct btrfs_trans_handle *trans,
|
|||
struct btrfs_path *path,
|
||||
const u64 ino)
|
||||
{
|
||||
struct btrfs_fs_info *fs_info = root->fs_info;
|
||||
struct btrfs_key search_key;
|
||||
struct btrfs_path *log_path;
|
||||
int i;
|
||||
|
@ -2152,6 +2153,12 @@ static int replay_xattr_deletes(struct btrfs_trans_handle *trans,
|
|||
u32 this_len = sizeof(*di) + name_len + data_len;
|
||||
char *name;
|
||||
|
||||
ret = verify_dir_item(fs_info, path->nodes[0],
|
||||
path->slots[0], di);
|
||||
if (ret) {
|
||||
ret = -EIO;
|
||||
goto out;
|
||||
}
|
||||
name = kmalloc(name_len, GFP_NOFS);
|
||||
if (!name) {
|
||||
ret = -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue