summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2012-07-10 17:58:04 +0200
committerPaul Gortmaker <paul.gortmaker@windriver.com>2013-01-16 16:45:06 -0500
commit1bf86851f449172c5cb6ed1d8a05c5e45994b56b (patch)
treefb65a177291507d54ce665260b1070f68565c2c5
parentd7542a6eb171336db2101522803f46e6e624bd1f (diff)
udf: Improve table length check to avoid possible overflow
commit 57b9655d01ef057a523e810d29c37ac09b80eead upstream. When a partition table length is corrupted to be close to 1 << 32, the check for its length may overflow on 32-bit systems and we will think the length is valid. Later on the kernel can crash trying to read beyond end of buffer. Fix the check to avoid possible overflow. Reported-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat
-rw-r--r--fs/udf/super.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 988a332e30dd..1d36fdd4ae56 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1307,7 +1307,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
BUG_ON(ident != TAG_IDENT_LVD);
lvd = (struct logicalVolDesc *)bh->b_data;
table_len = le32_to_cpu(lvd->mapTableLength);
- if (sizeof(*lvd) + table_len > sb->s_blocksize) {
+ if (table_len > sb->s_blocksize - sizeof(*lvd)) {
udf_error(sb, "error loading logical volume descriptor: "
"Partition table too long (%u > %lu)\n", table_len,
sb->s_blocksize - sizeof(*lvd));
generated by cgit v1.2.3 (git 2.0.4) at 2024-05-27 02:53:10 +0000