| Message ID | 1403110279-28688-1-git-send-email-vincent.stehle@laposte.net (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Wed, Jun 18, 2014 at 06:51:19PM +0200, Vincent Stehlé wrote: > This patch actually allowed me to finish a btrfs restore of a damaged > filesystem, which was repeateadly crashing otherwise. This was with v3.12, but > I think it still makes sense. It does, thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/cmds-restore.c b/cmds-restore.c index 96b97e1..4338493 100644 --- a/cmds-restore.c +++ b/cmds-restore.c @@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char *outbuf, u64 compress_len, while (tot_in < tot_len) { in_len = read_compress_length(inbuf); + + if ((tot_in + LZO_LEN + in_len) > tot_len) { + fprintf(stderr, "bad compress length %lu\n", in_len); + return -1; + } + inbuf += LZO_LEN; tot_in += LZO_LEN;
When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe() with corrupt data during restore can lead to crashes. Reduce the risk by adding a check on the input length. Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net> --- Hi, This patch actually allowed me to finish a btrfs restore of a damaged filesystem, which was repeateadly crashing otherwise. This was with v3.12, but I think it still makes sense. Best regards, V. cmds-restore.c | 6 ++++++ 1 file changed, 6 insertions(+)