btrfs: Check name_len before in btrfs_del_root_ref

btrfs_del_root_ref calls btrfs_search_slot and reads name from root_ref.
Call btrfs_is_name_len_valid before memcmp.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
index 7d6bc308bf4308f653cc300c1354602ddd0df911..460db0cb2d0734db78c52a934620953b5677de23 100644 (file)
--- a/fs/btrfs/root-tree.c
+++ b/fs/btrfs/root-tree.c
@@ -390,6 +390,13 @@ again:
                WARN_ON(btrfs_root_ref_dirid(leaf, ref) != dirid);
                WARN_ON(btrfs_root_ref_name_len(leaf, ref) != name_len);
                ptr = (unsigned long)(ref + 1);
+               ret = btrfs_is_name_len_valid(leaf, path->slots[0], ptr,
+                                             name_len);
+               if (!ret) {
+                       err = -EIO;
+                       goto out;
+               }
+
                WARN_ON(memcmp_extent_buffer(leaf, name, ptr, name_len));
                *sequence = btrfs_root_ref_sequence(leaf, ref);