[PATCH] hfsplus: Fix potential buffer overflows

[PATCH] hfsplus: Fix potential buffer overflows

[Greg Kroah-Hartman]

commit ec81aecb29668ad71f699f4e7b96ec46691895b6 (hfs: fix a potential
buffer overflow) fixed a few potential buffer overflows in the hfs
filesystem.  But as Timo Warns pointed out, these changes also need to
be made on the hfsplus filesystem as well.

Reported-by: Timo Warns <warns@pre-sense.de>
Cc: WANG Cong <amwang@redhat.com>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Cong Wang <amwang@redhat.com>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Sage Weil <sage@newdream.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: stable <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/hfsplus/catalog.c |    4 ++++
 fs/hfsplus/dir.c     |   11 +++++++++++
 2 files changed, 15 insertions(+)

--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+		err = -EIO;
+		goto out;
+	}
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 				src_fd.entrylength);
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
 			fd.entrylength);
 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *
 			err = -EIO;
 			goto out;
 		}
+
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
 			fd.entrylength);
 		type = be16_to_cpu(entry.type);

Re: [PATCH] hfsplus: Fix potential buffer overflows

[Linus Torvalds]

On Fri, May 4, 2012 at 12:09 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> Reported-by: Timo Warns <warns@pre-sense.de>
> Cc: WANG Cong <amwang@redhat.com>

Tssk. You got an ack at least from Cong.

> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
> Cc: Cong Wang <amwang@redhat.com>

.. who you have listed twice with just a cc.

                      Linus

Re: [PATCH] hfsplus: Fix potential buffer overflows

[Greg Kroah-Hartman]

On Fri, May 04, 2012 at 04:53:47PM -0700, Linus Torvalds wrote:
> On Fri, May 4, 2012 at 12:09 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > Reported-by: Timo Warns <warns@pre-sense.de>
> > Cc: WANG Cong <amwang@redhat.com>
> 
> Tssk. You got an ack at least from Cong.

Oops, you are right, sorry.

> > Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
> > Cc: Cong Wang <amwang@redhat.com>
> 
> .. who you have listed twice with just a cc.

Ugh, my fault, sorry.

greg k-h