summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Brüns <stefan.bruens@rwth-aachen.de>2016-09-06 05:36:50 +0300
committerDongjin Kim <tobetter@gmail.com>2020-02-10 16:44:41 +0300
commitc140328021e3ab94faf6d4f905c9550419e1cc7b (patch)
tree7e3be9e90df37cb5ada6d796a58f51a158765135
parentce9ad752eb425031127d04dfd8af13b2f31c00b2 (diff)
downloadu-boot-c140328021e3ab94faf6d4f905c9550419e1cc7b.tar.xz
ext4: Avoid out-of-bounds access of block bitmap
If the blocksize is 1024, count is initialized with 1. Incrementing count by 8 will never match (count == fs->blksz * 8), and ptr may be incremented beyond the buffer end if the bitmap is filled. Add the startblock offset after the loop. Remove the second loop, as only the first iteration will be done. Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Reviewed-by: Lukasz Majewski <l.majewski@samsung.com>
-rw-r--r--fs/ext4/ext4_common.c34
1 files changed, 12 insertions, 22 deletions
diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
index 7864753278..f43746e5aa 100644
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@@ -171,18 +171,12 @@ static int _get_new_inode_no(unsigned char *buffer)
static int _get_new_blk_no(unsigned char *buffer)
{
- unsigned char input;
- int operand, status;
+ int operand;
int count = 0;
- int j = 0;
+ int i;
unsigned char *ptr = buffer;
struct ext_filesystem *fs = get_fs();
- if (fs->blksz != 1024)
- count = 0;
- else
- count = 1;
-
while (*ptr == 255) {
ptr++;
count += 8;
@@ -190,21 +184,17 @@ static int _get_new_blk_no(unsigned char *buffer)
return -1;
}
- for (j = 0; j < fs->blksz; j++) {
- input = *ptr;
- int i = 0;
- while (i <= 7) {
- operand = 1 << i;
- status = input & operand;
- if (status) {
- i++;
- count++;
- } else {
- *ptr |= operand;
- return count;
- }
+ if (fs->blksz == 1024)
+ count += 1;
+
+ for (i = 0; i <= 7; i++) {
+ operand = 1 << i;
+ if (*ptr & operand) {
+ count++;
+ } else {
+ *ptr |= operand;
+ return count;
}
- ptr = ptr + 1;
}
return -1;