aboutsummaryrefslogtreecommitdiffstats
path: root/volumes.c
diff options
context:
space:
mode:
authorDavid Sterba <dsterba@suse.cz>2014-11-05 15:24:51 +0100
committerDavid Sterba <dsterba@suse.com>2016-01-04 11:28:24 +0100
commitd9463cfeaa9a131062752c1136825071137c78f5 (patch)
treea94d2a7aaa4335d314d1139d94ba7aa79ae205c6 /volumes.c
parent22d9c7091b3855663571cf445141ba2b24522bd0 (diff)
downloadbtrfs-progs-d9463cfeaa9a131062752c1136825071137c78f5.tar.gz
btrfs-progs-d9463cfeaa9a131062752c1136825071137c78f5.tar.xz
btrfs-progs-d9463cfeaa9a131062752c1136825071137c78f5.zip
btrfs-progs: add more checks to btrfs_read_sys_array
Port of kernel commit e3540eab29e1b2260bc4b9b3979a49a00e3e3af8 Verify that the sys_array has enough bytes to read the next item. Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'volumes.c')
-rw-r--r--volumes.c26
1 files changed, 23 insertions, 3 deletions
diff --git a/volumes.c b/volumes.c
index 939ff7b..32d9a5a 100644
--- a/volumes.c
+++ b/volumes.c
@@ -1818,20 +1818,34 @@ int btrfs_read_sys_array(struct btrfs_root *root)
while (cur_offset < array_size) {
disk_key = (struct btrfs_disk_key *)array_ptr;
+ len = sizeof(*disk_key);
+ if (cur_offset + len > array_size)
+ goto out_short_read;
+
btrfs_disk_key_to_cpu(&key, disk_key);
- len = sizeof(*disk_key);
array_ptr += len;
sb_array_offset += len;
cur_offset += len;
if (key.type == BTRFS_CHUNK_ITEM_KEY) {
chunk = (struct btrfs_chunk *)sb_array_offset;
+ /*
+ * At least one btrfs_chunk with one stripe must be
+ * present, exact stripe count check comes afterwards
+ */
+ len = btrfs_chunk_item_size(1);
+ if (cur_offset + len > array_size)
+ goto out_short_read;
+
+ num_stripes = btrfs_chunk_num_stripes(sb, chunk);
+ len = btrfs_chunk_item_size(num_stripes);
+ if (cur_offset + len > array_size)
+ goto out_short_read;
+
ret = read_one_chunk(root, &key, sb, chunk, -1);
if (ret)
break;
- num_stripes = btrfs_chunk_num_stripes(sb, chunk);
- len = btrfs_chunk_item_size(num_stripes);
} else {
BUG();
}
@@ -1841,6 +1855,12 @@ int btrfs_read_sys_array(struct btrfs_root *root)
}
free_extent_buffer(sb);
return ret;
+
+out_short_read:
+ printk("ERROR: sys_array too short to read %u bytes at offset %u\n",
+ len, cur_offset);
+ free_extent_buffer(sb);
+ return -EIO;
}
int btrfs_read_chunk_tree(struct btrfs_root *root)