Skip to content

Commit 702d493

Browse files
aalexandrovichaalexandrovich
committed
fs/ntfs3: Add a check for attr_names and oatbl
Added out-of-bound checking for *ane (ATTR_NAME_ENTRY). Reported-by: lei lu <[email protected]> Fixes: 865e7a7 ("fs/ntfs3: Reduce stack usage") Signed-off-by: Konstantin Komarov <[email protected]>
1 parent 50c4787 commit 702d493

File tree

1 file changed

+32
-6
lines changed

1 file changed

+32
-6
lines changed

fs/ntfs3/fslog.c

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3726,6 +3726,8 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
37263726

37273727
u64 rec_lsn, checkpt_lsn = 0, rlsn = 0;
37283728
struct ATTR_NAME_ENTRY *attr_names = NULL;
3729+
u32 attr_names_bytes = 0;
3730+
u32 oatbl_bytes = 0;
37293731
struct RESTART_TABLE *dptbl = NULL;
37303732
struct RESTART_TABLE *trtbl = NULL;
37313733
const struct RESTART_TABLE *rt;
@@ -3740,6 +3742,7 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
37403742
struct NTFS_RESTART *rst = NULL;
37413743
struct lcb *lcb = NULL;
37423744
struct OPEN_ATTR_ENRTY *oe;
3745+
struct ATTR_NAME_ENTRY *ane;
37433746
struct TRANSACTION_ENTRY *tr;
37443747
struct DIR_PAGE_ENTRY *dp;
37453748
u32 i, bytes_per_attr_entry;
@@ -4318,17 +4321,40 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
43184321
lcb = NULL;
43194322

43204323
check_attribute_names2:
4321-
if (rst->attr_names_len && oatbl) {
4322-
struct ATTR_NAME_ENTRY *ane = attr_names;
4323-
while (ane->off) {
4324+
if (attr_names && oatbl) {
4325+
off = 0;
4326+
for (;;) {
4327+
/* Check we can use attribute name entry 'ane'. */
4328+
static_assert(sizeof(*ane) == 4);
4329+
if (off + sizeof(*ane) > attr_names_bytes) {
4330+
/* just ignore the rest. */
4331+
break;
4332+
}
4333+
4334+
ane = Add2Ptr(attr_names, off);
4335+
t16 = le16_to_cpu(ane->off);
4336+
if (!t16) {
4337+
/* this is the only valid exit. */
4338+
break;
4339+
}
4340+
4341+
/* Check we can use open attribute entry 'oe'. */
4342+
if (t16 + sizeof(*oe) > oatbl_bytes) {
4343+
/* just ignore the rest. */
4344+
break;
4345+
}
4346+
43244347
/* TODO: Clear table on exit! */
4325-
oe = Add2Ptr(oatbl, le16_to_cpu(ane->off));
4348+
oe = Add2Ptr(oatbl, t16);
43264349
t16 = le16_to_cpu(ane->name_bytes);
4350+
off += t16 + sizeof(*ane);
4351+
if (off > attr_names_bytes) {
4352+
/* just ignore the rest. */
4353+
break;
4354+
}
43274355
oe->name_len = t16 / sizeof(short);
43284356
oe->ptr = ane->name;
43294357
oe->is_attr_name = 2;
4330-
ane = Add2Ptr(ane,
4331-
sizeof(struct ATTR_NAME_ENTRY) + t16);
43324358
}
43334359
}
43344360

0 commit comments

Comments
 (0)