diff options
| author | Hyunchul Lee <hyc.lee@gmail.com> | 2026-05-23 13:14:23 +0900 |
|---|---|---|
| committer | Namjae Jeon <linkinjeon@kernel.org> | 2026-05-25 11:41:01 +0900 |
| commit | 7e62b8b74327d70ed98778a516c2748d48f7276c (patch) | |
| tree | 57d632060840b4e3656fd43443b8c6a1086451a2 /fs | |
| parent | bf27cabc2a297ca0e82d77cd648ecb9f97d23307 (diff) | |
| download | linux-next-history-7e62b8b74327d70ed98778a516c2748d48f7276c.tar.gz | |
ntfs: add bounds check before accessing EA entries
in ntfs_ea_lookup and ntfs_listxattr, this verifies that there is enough
space in the EA entry before accessing the next_entry_offset field of
the EA entry.
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/ntfs/ea.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/fs/ntfs/ea.c b/fs/ntfs/ea.c index c4a4a3e3e5996..0cd192752b7cd 100644 --- a/fs/ntfs/ea.c +++ b/fs/ntfs/ea.c @@ -53,11 +53,11 @@ static int ntfs_ea_lookup(char *ea_buf, s64 ea_buf_size, const char *name, loff_t offset, p_ea_size; unsigned int next; - if (ea_buf_size < sizeof(struct ea_attr)) - goto out; - offset = 0; do { + if (ea_buf_size - offset < sizeof(struct ea_attr)) + break; + p_ea = (const struct ea_attr *)&ea_buf[offset]; next = le32_to_cpu(p_ea->next_entry_offset); p_ea_size = next ? next : (ea_buf_size - offset); @@ -479,13 +479,13 @@ ssize_t ntfs_listxattr(struct dentry *dentry, char *buffer, size_t size) if (ea_info_qsize > ea_buf_size || ea_info_qsize == 0) goto out; - if (ea_info_qsize < sizeof(struct ea_attr)) { - err = -EIO; - goto out; - } - offset = 0; do { + if (ea_info_qsize - offset < sizeof(struct ea_attr)) { + err = -EIO; + goto out; + } + p_ea = (const struct ea_attr *)&ea_buf[offset]; next = le32_to_cpu(p_ea->next_entry_offset); ea_size = next ? next : (ea_info_qsize - offset); |