From: Edward Adam Davis <eadavis@sina.com>

the root cause is: 
The remaining space after the offset is less than the space needed to 
accommodate the next EA_FULL struct.

Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
Reported-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Edward Adam Davis <eadavis@sina.com>
---
Changes in v3:
  Add Suggested-by: and fix the syntax err.

 fs/ntfs3/xattr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..c90cc453390d 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -52,6 +52,7 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
 	for (;;) {
 		const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
 		u32 next_off = *off + unpacked_ea_size(ea);
+		u32 next_len = 0;
 
 		if (next_off > bytes)
 			return false;
@@ -63,6 +64,13 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
 		*off = next_off;
 		if (next_off >= bytes)
 			return false;
+
+		next_len = next_off + 8;
+		if (next_len >= bytes ||
+		    ((!ea->size) &&
+		     (next_len + ea->name_len + 
+		      le16_to_cpu(ea->elength) >= bytes)))
+			return false;
 	}
 }
 
-- 
2.37.2