Squashfs: add sanity checks to xattr reading at mount time

These checks add sanity checking of the mount-time xattr structures.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>

diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c
index 51a7bd0cc449ac2db7dbbe5d606a2227dcb98e16..f60fb3cce18342d35edaeb16b7f7be1ad46eba39 100644 (file)
--- a/fs/squashfs/xattr_id.c
+++ b/fs/squashfs/xattr_id.c
@@ -76,6 +76,17 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 start,
        *xattr_table_start = le64_to_cpu(id_table->xattr_table_start);
        *xattr_ids = le32_to_cpu(id_table->xattr_ids);
        kfree(id_table);
+
+       /* Sanity check values */
+
+       /* there is always at least one xattr id */
+       if (*xattr_ids == 0)
+               return ERR_PTR(-EINVAL);
+
+       /* xattr_table should be less than start */
+       if (*xattr_table_start >= start)
+               return ERR_PTR(-EINVAL);
+
        len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
 
        TRACE("In read_xattr_index_table, length %d\n", len);